Solved

PIX 506E as VPN endpoint only

Posted on 2004-08-18
4
294 Views
Last Modified: 2013-11-16
I am a PIX 506E that I wish to use to connect a main office to a branch office.  I have set up the VPN connection, but now I want to make sure that all non-local branch office comes back to the main office.  That is, I do not want systems on the branch office network to be able to access the internet via the PIX.

Since I cannot delete the implicit access rule that allows traffic to flow from the inside to outside interfaces, what is the easiest way to prevent traffic from going from the branch office network out to the internet?

My branch office is a 192.168.x.x network, so I was thinking that if I did not define any translation rules, there would be nothing to NAT/PAT traffic.  Without NAT/PAT, my private addresses would not route on the internet routers.

However, I'm thinking there must be a more elegant way to prevent this traffic flow.
0
Comment
Question by:sloth10k
  • 2
4 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11834498
Hi sloth10k,
Firstly there is a limitation in the PIX where traffic cannot come in and then go out of the same interface again. This means that if traffic comes in via a VPN it cannot go back out to the internet again via the same PIX. This effectivly solves your problem.

In addition you can configure a split-tunnel at the main office so that all traffic to its local machines is sent across the VPN. Any traffic to other IP addresses will just be sent onto the Internet normally by the PIX at the branch office.
0
 

Author Comment

by:sloth10k
ID: 11834552
I am not concerned about traffic coming from the main office via VPN, then going out to the internet at the branch office PIX.  I do not want the branch office traffic going out of its PIX.  In other words, if a branch office system wants to hit www.microsoft.com, I want that to be routed through the VPN to the main office.  So the branch office connection will no offer any internet services to branch office users - the only traffic going out the outside interface of the PIX will be VPN traffic, being tunneled back to the main office.

In essence, I'm hamstringing the branch office internet connection, because all traffic should go back through the main office.

I hope this makes sense...
0
 
LVL 36

Accepted Solution

by:
grblades earned 250 total points
ID: 11834674
Well if you are forcing all users to get internet access via the head office then you will have to have a proxy server at the main office otherwise it wont work because you will have traffic coming in via the VPN trying to go back out the same interface.
So all computers at the remote office have to have the proxy server configured on them.
Then all you need to do at the remote office is configure an access list on the internal interface so the only traffic which is permitted out is to the IP address range used at the main office.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11835827
> I am a PIX 506E...

Dude - you've been assimilated !!! ;)




0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question