Routing through VPN's and routing VPN Clients

rbirkin · ‎01-16-2003

Hi

We currently have two firewalls, one (FW1) for controlling network access and VPN clients, another (FW2) solely used to maintain a VPN tunnel to a remote network. All clients currently have a default gateway of FW1.

How would we go about getting FW1 to route packets destined for the remote network via the VPN on FW2?

We could add persistant routes on all workstations but this would be a messy solution. We would also like to allow VPN 3.5 clients (coming in on FW1) to do the same.

FW1 already has a route added to the remote network (the gateway being FW2's inside interface) and can ping hosts the other side of the VPN.

e.g.:

FW1 inside 172.17.0.1/16 - (VPN Clients coming in on 172.17.30.0)

FW2 Inside 172.17.0.100/16 <-------vpn------> 10.100.0.0

Any help much appreciated.

jfrahim · ‎01-16-2003

Hi there,

Unfortunately, PIX firewall does not do IP redirects. So if FW1 gets a packet destined for 10.100.0.0 subnet, it will not redirect the packet to FW2. You alternatives:

1) Put a router on the inside subnet, and assign it as the Default gateway for the PC. Add the route on the router for 10.100.0.0 to take FW2, and also add a default route on it and point it to FW1

2) Add a static routes on all the workstations for 10.100.0.0 and point it to FW2

3) Replace the PIX with some other VPN device with supports IP redirects ( like an IOS router, VPN concentrator etc )

Jazib

rbirkin · ‎01-17-2003

Thanks Jazib.

I take it point three is in reference to my question about getting VPN clients coming in on FW1 access to the remote subnet through the VPN on FW2?

Cheers

Rowley