Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
245
Views
1
Helpful
1
Replies

Maxium number of secured routes?

azore2007
Level 1
Level 1

‎08-02-2007 12:15 AM

Hello

Does anyone know if there is a limited number of secured routes that you can give a vpn client?

Im testing my lab pix515E 6.3.3 with new vpn profiles/acl and encounterd this problem

I have created a object-group (network) for the secured routes that i want to give the user

object-group network new_vpn_ip_ranges

description internal_network_ip_ranges

network-object 192.168.2.0 255.255.255.0 network-object 192.168.14.0 255.255.255.0 network-object 192.168.15.0 255.255.255.0 network-object 192.168.16.0 255.255.255.0 network-object 192.168.17.0 255.255.255.0 network-object 192.168.19.0 255.255.255.0 network-object 192.168.20.0 255.255.255.0 network-object 192.168.21.0 255.255.255.0 network-object 192.168.25.0 255.255.255.0

Then I created a new object-group for the vpn ip pools that i wanted the internal network to be able to access

object-group network new_vpn_ip_pools

description internal_vpn_pools

network-object 192.168.34.0 255.255.255.0

network-object 192.168.35.0 255.255.255.0

network-object 192.168.35.0 255.255.255.0

network-object 192.168.36.0 255.255.255.0

network-object 192.168.37.0 255.255.255.0

network-object 192.168.40.0 255.255.255.0

network-object 192.168.41.0 255.255.255.0

network-object 192.168.42.0 255.255.255.0

network-object 192.168.43.0 255.255.255.0

network-object 192.168.64.0 255.255.255.0

network-object 192.168.65.0 255.255.255.0

network-object 192.168.69.0 255.255.255.0

Then I created the ACL for this to work

access-list testingnewvpn permit ip object-group new_vpn_ip_ranges object-group new_vpn_ip_pools

If I then check "secure routes" in the vpn client, it only gives me 192.168.2.0, 192.168.14.0, 192.168.15.0, 192.168.16.0,192.168.17.0 networks and skipping the rest. There are like 14 secure routes entries for each ACL rule.

Like

192.168.2.0 255.255.255.0

192.168.2.0 255.255.255.0

192.168.2.0 255.255.255.0

(and so on x 14 for each acl rule)

Am I doing this wrong?

If I just do this ACL, it becomes perfect

access-list testingnewvpn permit ip object-group new_vpn_ip_ranges 192.168.32.0 255.255.255.0

Thank you

Labels:
0 Helpful
1 Reply 1

carenas123
Level 5
Level 5

‎08-08-2007 07:57 AM

Many network attacks rely on an attacker that falsifies, or spoofs, the source addresses of IP datagrams. Some attacks rely on spoofing to work at all, and other attacks are much harder to trace if the attacker can use the address of someone else instead of his or her own. Therefore, it is valuable for network administrators to prevent spoofing wherever feasible

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents