Solved

PIX 506E as VPN endpoint only

Posted on 2004-08-18
4
296 Views
Last Modified: 2013-11-16
I am a PIX 506E that I wish to use to connect a main office to a branch office.  I have set up the VPN connection, but now I want to make sure that all non-local branch office comes back to the main office.  That is, I do not want systems on the branch office network to be able to access the internet via the PIX.

Since I cannot delete the implicit access rule that allows traffic to flow from the inside to outside interfaces, what is the easiest way to prevent traffic from going from the branch office network out to the internet?

My branch office is a 192.168.x.x network, so I was thinking that if I did not define any translation rules, there would be nothing to NAT/PAT traffic.  Without NAT/PAT, my private addresses would not route on the internet routers.

However, I'm thinking there must be a more elegant way to prevent this traffic flow.
0
Comment
Question by:sloth10k
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11834498
Hi sloth10k,
Firstly there is a limitation in the PIX where traffic cannot come in and then go out of the same interface again. This means that if traffic comes in via a VPN it cannot go back out to the internet again via the same PIX. This effectivly solves your problem.

In addition you can configure a split-tunnel at the main office so that all traffic to its local machines is sent across the VPN. Any traffic to other IP addresses will just be sent onto the Internet normally by the PIX at the branch office.
0
 

Author Comment

by:sloth10k
ID: 11834552
I am not concerned about traffic coming from the main office via VPN, then going out to the internet at the branch office PIX.  I do not want the branch office traffic going out of its PIX.  In other words, if a branch office system wants to hit www.microsoft.com, I want that to be routed through the VPN to the main office.  So the branch office connection will no offer any internet services to branch office users - the only traffic going out the outside interface of the PIX will be VPN traffic, being tunneled back to the main office.

In essence, I'm hamstringing the branch office internet connection, because all traffic should go back through the main office.

I hope this makes sense...
0
 
LVL 36

Accepted Solution

by:
grblades earned 250 total points
ID: 11834674
Well if you are forcing all users to get internet access via the head office then you will have to have a proxy server at the main office otherwise it wont work because you will have traffic coming in via the VPN trying to go back out the same interface.
So all computers at the remote office have to have the proxy server configured on them.
Then all you need to do at the remote office is configure an access list on the internal interface so the only traffic which is permitted out is to the IP address range used at the main office.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11835827
> I am a PIX 506E...

Dude - you've been assimilated !!! ;)




0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question