• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 393
  • Last Modified:

How to force network traffic through PIX VPN

We have a client with three PIX 501's in remote sites, coming into a 515 at the HQ.  Because of web filtering, we'd like to force all the remote traffic to go through the VPN to the 515, and be serviced at HQ.  According to what we've been told at Cisco, this can't be done without putting a router at each endpoint.  With WatchGuards, this would be no problem, so it's rather hard to believe that Cisco can't accomplish the same thing.  Any ideas?
0
Chuck Brown
Asked:
Chuck Brown
  • 5
  • 3
1 Solution
 
lrmooreCommented:
>Any ideas?
Yes. Use a proxy server at HQ and all remote clients be configured to use this proxy for all protocols.

The issue is the design of the PIX. It will not redirect a packet back out the same interface it came in on.
tunneled traffic comes in the outside interface from remote site. If the destination is google.com, then the packet would have to be unencrypted, then turned around and sent in clear back out the outside interface, to google, back in the outside interface, encrypted and turned back around through the outside interface back through the VPN tunnel. The PIX simply is not designed to perform these functions. These are advaced routing functions and the PIX is a world-class firewall, it is not a router.
0
 
lrmooreCommented:
UPDATE:
Cisco PIX 7.0(1) adds new functionality....

Enhanced Spoke-to-Spoke VPN Support
Version 7.0(1) improves support for spoke-to-spoke (and client-to-client) VPN communications, by providing the ability for encrypted traffic to enter and leave the same interface. Furthermore, remote access connections can now be terminated on the outside interface of the security appliance, allowing Internet-destined traffic from remote access user VPN tunnels to leave on the same interface as it arrived (after firewall rules have been applied).

0
 
VMarcusCommented:
In addition to what lrmoore stated:
A Cisco PIX (older then 7.x) want traffice to go from inside to outside or visa versa. If you try to go through a VPN tunnel, you end up on the outside interface of the 515, wanting to go through the outside interface again. This will not work.

About version 7.x:
I tried some upgrades already, but they don't work perfectly for upgrades, because of changed functionality, so if you have an already working pix, create a new confiw on a test machine
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
Chuck BrownAuthor Commented:
for lrmoore: my understanding was that the 7.0(1) version didn't apply/wouldn't work on 501's; is this incorrect info?

Thanks
0
 
lrmooreCommented:
>my understanding was that the 7.0(1) version didn't apply/wouldn't work on 501's; is this incorrect info?
Correct. Not even on the 506e, and most 515's need a memory upgrade to use it...
But, you should only need it on the central 515, not on the 501's to take advantage of this functionality..
0
 
Chuck BrownAuthor Commented:
So the problem isn't that the 501's don't know how to route the traffic to the right place, it's that the 515's don't know how to get it back where it belongs?
0
 
lrmooreCommented:
> it's that the 515's don't know how to get it back where it belongs?
Not that it doesn't know HOW to get it back-- it CAN'T send it back because of the rule of not sending packets back out the same interface it came in on... that rule gets changed in 7.0
0
 
Chuck BrownAuthor Commented:
Ok; so there is a way to tell the 501s that their 'default gateway' per se is the VPN tunnel?
0
 
lrmooreCommented:
Yes. Simply encrypt ALL traffic.
The acl to define the VPN traffic =
 access-list Define_VPN permit ip <local subnet> <mask> any

The crypto map "match address" = Define_VPN
       crypto map set peer a.b.c.d  <== this is the route that "all" traffic takes

0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now