Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PIX 506E as VPN endpoint only

Posted on 2004-08-18
4
Medium Priority
?
298 Views
Last Modified: 2013-11-16
I am a PIX 506E that I wish to use to connect a main office to a branch office.  I have set up the VPN connection, but now I want to make sure that all non-local branch office comes back to the main office.  That is, I do not want systems on the branch office network to be able to access the internet via the PIX.

Since I cannot delete the implicit access rule that allows traffic to flow from the inside to outside interfaces, what is the easiest way to prevent traffic from going from the branch office network out to the internet?

My branch office is a 192.168.x.x network, so I was thinking that if I did not define any translation rules, there would be nothing to NAT/PAT traffic.  Without NAT/PAT, my private addresses would not route on the internet routers.

However, I'm thinking there must be a more elegant way to prevent this traffic flow.
0
Comment
Question by:sloth10k
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11834498
Hi sloth10k,
Firstly there is a limitation in the PIX where traffic cannot come in and then go out of the same interface again. This means that if traffic comes in via a VPN it cannot go back out to the internet again via the same PIX. This effectivly solves your problem.

In addition you can configure a split-tunnel at the main office so that all traffic to its local machines is sent across the VPN. Any traffic to other IP addresses will just be sent onto the Internet normally by the PIX at the branch office.
0
 

Author Comment

by:sloth10k
ID: 11834552
I am not concerned about traffic coming from the main office via VPN, then going out to the internet at the branch office PIX.  I do not want the branch office traffic going out of its PIX.  In other words, if a branch office system wants to hit www.microsoft.com, I want that to be routed through the VPN to the main office.  So the branch office connection will no offer any internet services to branch office users - the only traffic going out the outside interface of the PIX will be VPN traffic, being tunneled back to the main office.

In essence, I'm hamstringing the branch office internet connection, because all traffic should go back through the main office.

I hope this makes sense...
0
 
LVL 36

Accepted Solution

by:
grblades earned 1000 total points
ID: 11834674
Well if you are forcing all users to get internet access via the head office then you will have to have a proxy server at the main office otherwise it wont work because you will have traffic coming in via the VPN trying to go back out the same interface.
So all computers at the remote office have to have the proxy server configured on them.
Then all you need to do at the remote office is configure an access list on the internal interface so the only traffic which is permitted out is to the IP address range used at the main office.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11835827
> I am a PIX 506E...

Dude - you've been assimilated !!! ;)




0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question