• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 300
  • Last Modified:

PIX 506E as VPN endpoint only

I am a PIX 506E that I wish to use to connect a main office to a branch office.  I have set up the VPN connection, but now I want to make sure that all non-local branch office comes back to the main office.  That is, I do not want systems on the branch office network to be able to access the internet via the PIX.

Since I cannot delete the implicit access rule that allows traffic to flow from the inside to outside interfaces, what is the easiest way to prevent traffic from going from the branch office network out to the internet?

My branch office is a 192.168.x.x network, so I was thinking that if I did not define any translation rules, there would be nothing to NAT/PAT traffic.  Without NAT/PAT, my private addresses would not route on the internet routers.

However, I'm thinking there must be a more elegant way to prevent this traffic flow.
0
sloth10k
Asked:
sloth10k
  • 2
1 Solution
 
grbladesCommented:
Hi sloth10k,
Firstly there is a limitation in the PIX where traffic cannot come in and then go out of the same interface again. This means that if traffic comes in via a VPN it cannot go back out to the internet again via the same PIX. This effectivly solves your problem.

In addition you can configure a split-tunnel at the main office so that all traffic to its local machines is sent across the VPN. Any traffic to other IP addresses will just be sent onto the Internet normally by the PIX at the branch office.
0
 
sloth10kAuthor Commented:
I am not concerned about traffic coming from the main office via VPN, then going out to the internet at the branch office PIX.  I do not want the branch office traffic going out of its PIX.  In other words, if a branch office system wants to hit www.microsoft.com, I want that to be routed through the VPN to the main office.  So the branch office connection will no offer any internet services to branch office users - the only traffic going out the outside interface of the PIX will be VPN traffic, being tunneled back to the main office.

In essence, I'm hamstringing the branch office internet connection, because all traffic should go back through the main office.

I hope this makes sense...
0
 
grbladesCommented:
Well if you are forcing all users to get internet access via the head office then you will have to have a proxy server at the main office otherwise it wont work because you will have traffic coming in via the VPN trying to go back out the same interface.
So all computers at the remote office have to have the proxy server configured on them.
Then all you need to do at the remote office is configure an access list on the internal interface so the only traffic which is permitted out is to the IP address range used at the main office.
0
 
Tim HolmanCommented:
> I am a PIX 506E...

Dude - you've been assimilated !!! ;)




0

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now