Solved

PIX 506E as VPN endpoint only

Posted on 2004-08-18
4
291 Views
Last Modified: 2013-11-16
I am a PIX 506E that I wish to use to connect a main office to a branch office.  I have set up the VPN connection, but now I want to make sure that all non-local branch office comes back to the main office.  That is, I do not want systems on the branch office network to be able to access the internet via the PIX.

Since I cannot delete the implicit access rule that allows traffic to flow from the inside to outside interfaces, what is the easiest way to prevent traffic from going from the branch office network out to the internet?

My branch office is a 192.168.x.x network, so I was thinking that if I did not define any translation rules, there would be nothing to NAT/PAT traffic.  Without NAT/PAT, my private addresses would not route on the internet routers.

However, I'm thinking there must be a more elegant way to prevent this traffic flow.
0
Comment
Question by:sloth10k
  • 2
4 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11834498
Hi sloth10k,
Firstly there is a limitation in the PIX where traffic cannot come in and then go out of the same interface again. This means that if traffic comes in via a VPN it cannot go back out to the internet again via the same PIX. This effectivly solves your problem.

In addition you can configure a split-tunnel at the main office so that all traffic to its local machines is sent across the VPN. Any traffic to other IP addresses will just be sent onto the Internet normally by the PIX at the branch office.
0
 

Author Comment

by:sloth10k
ID: 11834552
I am not concerned about traffic coming from the main office via VPN, then going out to the internet at the branch office PIX.  I do not want the branch office traffic going out of its PIX.  In other words, if a branch office system wants to hit www.microsoft.com, I want that to be routed through the VPN to the main office.  So the branch office connection will no offer any internet services to branch office users - the only traffic going out the outside interface of the PIX will be VPN traffic, being tunneled back to the main office.

In essence, I'm hamstringing the branch office internet connection, because all traffic should go back through the main office.

I hope this makes sense...
0
 
LVL 36

Accepted Solution

by:
grblades earned 250 total points
ID: 11834674
Well if you are forcing all users to get internet access via the head office then you will have to have a proxy server at the main office otherwise it wont work because you will have traffic coming in via the VPN trying to go back out the same interface.
So all computers at the remote office have to have the proxy server configured on them.
Then all you need to do at the remote office is configure an access list on the internal interface so the only traffic which is permitted out is to the IP address range used at the main office.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11835827
> I am a PIX 506E...

Dude - you've been assimilated !!! ;)




0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now