Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
248
Views
0
Helpful
3
Replies

Problems with PIX in parallel to VPN concentrator

j.chasser
Level 1
Level 1

‎02-19-2004 05:16 PM - edited ‎02-21-2020 01:02 PM

We had trouble at an account that recently installed a concentrator to terminate remote users via IPSEC tunnels. No problem there. Problem was all users default gateway points to the trusted interface of the PIX. Inbound users once authenticated and placed on the LAN were directed to the PIX by the servers that they needed (email) instead of the path via the concentrator. PIX cannot have a static route on trusted interface, nor do ICMP redirects. Has anyone run into this, or have any workable configs?

I am wondering if a layer 3 switch is needed to sit behind the PIX and the VPN concentrator.

Labels:
0 Helpful
3 Replies 3

scoclayton
Level 7
Level 7

‎02-20-2004 05:58 AM

Rather common problem that we see. Yes, the PIX will not redirect packets back out the same interface where they were received. The work-arounds for this are to either add a layer 3 device inside the PIX and concentrator and change the default gateway on the internal LAN to this device. This new device would be responsible for making the routing decision of where to send the packet next. I have seen people do this with a single interface 2500. Obviously, an L3 switch would be better but you are not limited here.

One other option (if you have a PIX with multiple interfaces) is to hang the concentrator off of a DMZ interface on the PIX. This way, the PIX would not need to redirect the packets to the concentrator but could rather route them to the appropriate interface. Sorry for the problems but this is a design flaw that a lot of people make.

Scott

0 Helpful

j.chasser
Level 1
Level 1
In response to scoclayton

‎02-20-2004 06:35 AM

One last question. Can the IP address pool be unique, or does it need to be of the same subnet as the LAN?

0 Helpful

scoclayton
Level 7
Level 7
In response to j.chasser

‎02-20-2004 07:08 AM

We actually recommend that it be unique as opposed to a subset of the subnet addressing. This helps to prevent some avoidable ARP issues. But if necessary, both options will work.

Scott

0 Helpful
Customers Also Viewed These Support Documents