Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX problem

Reply
Thread Tools

PIX problem

 
 
LM
Guest
Posts: n/a
 
      12-26-2003
I've got a PIX515 running code 6.3.3. I set up PPTP-based VPN
and was able to tunnel in from (outside) interface just fine
using w2k built-in PPTP client. however, I have 2 problems
which I hope someone can help explain.

1) I was able to ping a device on the (inside) interface, but not
the PIX's inside interface IP. No syslog message was observed.
"debug icmp trace" showed icmp request received from outside
and destination address got tranlated via a NAT 0 (identity).
Question: is this normal behaviour? or I am missing some
config?

2) the (outside) interface on the PIX leads to the internet (Note:
I was tunneling in on the (outside) interface). I would've
expected to be able accesss the internet (eg. web browsing) while
tunneled in. Not so... syslog revealed messages that look like
"Deny inbound (No xlate) tcp outside:ip/port dst outside:ip/port".
I understand that while the PIX received the packet on the outside
interface and based on the destination address, it needed to turn
it around and send it back out the same outside interface, it
considered that to be some form of security breach and just dropped
it.. but I would've thought that given the packet came from a
tunnel, it should've been considered to be originating from the
inside.. is this correct? I must have some mis-configuration. I
know you can do this with other fw/vpn products.

Thanks in advance for all your help.

LM.
 
Reply With Quote
 
 
 
 
Rik Bain
Guest
Posts: n/a
 
      12-26-2003
On Fri, 26 Dec 2003 08:12:59 -0600, LM wrote:

> I've got a PIX515 running code 6.3.3. I set up PPTP-based VPN and was
> able to tunnel in from (outside) interface just fine using w2k built-in
> PPTP client. however, I have 2 problems which I hope someone can help
> explain.
>
> 1) I was able to ping a device on the (inside) interface, but not
> the PIX's inside interface IP. No syslog message was observed. "debug
> icmp trace" showed icmp request received from outside and destination
> address got tranlated via a NAT 0 (identity). Question: is this
> normal behaviour? or I am missing some config?
>


normal behavior.


> 2) the (outside) interface on the PIX leads to the internet (Note:
> I was tunneling in on the (outside) interface). I would've expected
> to be able accesss the internet (eg. web browsing) while tunneled in.
> Not so... syslog revealed messages that look like "Deny inbound (No
> xlate) tcp outside:ip/port dst outside:ip/port". I understand that
> while the PIX received the packet on the outside interface and based
> on the destination address, it needed to turn it around and send it
> back out the same outside interface, it considered that to be some
> form of security breach and just dropped it.. but I would've thought
> that given the packet came from a tunnel, it should've been
> considered to be originating from the inside.. is this correct? I
> must have some mis-configuration. I know you can do this with other
> fw/vpn products.
>


This is default behavior with current pix code. Packets will not be
re-routed out of the interface they arrive on.


> Thanks in advance for all your help.
>
> LM.

 
Reply With Quote
 
 
 
 
Kirk Goins
Guest
Posts: n/a
 
      12-26-2003
I just did a test cfg for PPTP on my pix and what i was looking for
wasn't there at least via PDM. If you use the Cisco Client there is an
option to "Split Tunnel". What this does is route encrypted traffic via
the VPN and traffic not bound for those addresses ( internet traffic )to
not use the tunnel.

LM wrote:

> 2) the (outside) interface on the PIX leads to the internet (Note:
> I was tunneling in on the (outside) interface). I would've
> expected to be able accesss the internet (eg. web browsing) while
> tunneled in. Not so... syslog revealed messages that look like
> "Deny inbound (No xlate) tcp outside:ip/port dst outside:ip/port".
> I understand that while the PIX received the packet on the outside
> interface and based on the destination address, it needed to turn
> it around and send it back out the same outside interface, it
> considered that to be some form of security breach and just dropped
> it.. but I would've thought that given the packet came from a
> tunnel, it should've been considered to be originating from the
> inside.. is this correct? I must have some mis-configuration. I
> know you can do this with other fw/vpn products.
>
> Thanks in advance for all your help.
>
> LM.


 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      12-26-2003

"LM" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I've got a PIX515 running code 6.3.3. I set up PPTP-based VPN
> and was able to tunnel in from (outside) interface just fine
> using w2k built-in PPTP client. however, I have 2 problems
> which I hope someone can help explain.
>
> 1) I was able to ping a device on the (inside) interface, but not
> the PIX's inside interface IP. No syslog message was observed.
> "debug icmp trace" showed icmp request received from outside
> and destination address got tranlated via a NAT 0 (identity).
> Question: is this normal behaviour? or I am missing some
> config?


by design

> 2) the (outside) interface on the PIX leads to the internet (Note:
> I was tunneling in on the (outside) interface). I would've
> expected to be able accesss the internet (eg. web browsing) while
> tunneled in. Not so... syslog revealed messages that look like
> "Deny inbound (No xlate) tcp outside:ip/port dst outside:ip/port".
> I understand that while the PIX received the packet on the outside
> interface and based on the destination address, it needed to turn
> it around and send it back out the same outside interface, it
> considered that to be some form of security breach and just dropped
> it.. but I would've thought that given the packet came from a
> tunnel, it should've been considered to be originating from the
> inside.. is this correct? I must have some mis-configuration. I
> know you can do this with other fw/vpn products.


If you do a route print, you will see that the default gateway is the pptp
interface. If you set your pptp dialer to not use it as the default gateway
and then manaully add routes into your client using route add statements
from dos prompt all will work. The actual vpn client works differently and
split tunnelling is required.

>
> Thanks in advance for all your help.
>
> LM.



 
Reply With Quote
 
LM
Guest
Posts: n/a
 
      12-28-2003
Thanks for all your help.

On Fri, 26 Dec 2003 14:55:26 -0500, "PES"
<NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote:

>
>"LM" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> I've got a PIX515 running code 6.3.3. I set up PPTP-based VPN
>> and was able to tunnel in from (outside) interface just fine
>> using w2k built-in PPTP client. however, I have 2 problems
>> which I hope someone can help explain.
>>
>> 1) I was able to ping a device on the (inside) interface, but not
>> the PIX's inside interface IP. No syslog message was observed.
>> "debug icmp trace" showed icmp request received from outside
>> and destination address got tranlated via a NAT 0 (identity).
>> Question: is this normal behaviour? or I am missing some
>> config?

>
>by design
>
>> 2) the (outside) interface on the PIX leads to the internet (Note:
>> I was tunneling in on the (outside) interface). I would've
>> expected to be able accesss the internet (eg. web browsing) while
>> tunneled in. Not so... syslog revealed messages that look like
>> "Deny inbound (No xlate) tcp outside:ip/port dst outside:ip/port".
>> I understand that while the PIX received the packet on the outside
>> interface and based on the destination address, it needed to turn
>> it around and send it back out the same outside interface, it
>> considered that to be some form of security breach and just dropped
>> it.. but I would've thought that given the packet came from a
>> tunnel, it should've been considered to be originating from the
>> inside.. is this correct? I must have some mis-configuration. I
>> know you can do this with other fw/vpn products.

>
>If you do a route print, you will see that the default gateway is the pptp
>interface. If you set your pptp dialer to not use it as the default gateway
>and then manaully add routes into your client using route add statements
>from dos prompt all will work. The actual vpn client works differently and
>split tunnelling is required.
>
>>
>> Thanks in advance for all your help.
>>
>> LM.

>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix-to-Pix and Client-to-Pix VPN AlanP Cisco 3 04-07-2004 05:06 AM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
vpnclient access to remote pix via pix-pix tunnel Bill F Cisco 1 11-25-2003 06:03 AM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments