PIX problem

Discussion in 'Cisco' started by LM, Dec 26, 2003.

  1. LM

    LM Guest

    I've got a PIX515 running code 6.3.3. I set up PPTP-based VPN
    and was able to tunnel in from (outside) interface just fine
    using w2k built-in PPTP client. however, I have 2 problems
    which I hope someone can help explain.

    1) I was able to ping a device on the (inside) interface, but not
    the PIX's inside interface IP. No syslog message was observed.
    "debug icmp trace" showed icmp request received from outside
    and destination address got tranlated via a NAT 0 (identity).
    Question: is this normal behaviour? or I am missing some
    config?

    2) the (outside) interface on the PIX leads to the internet (Note:
    I was tunneling in on the (outside) interface). I would've
    expected to be able accesss the internet (eg. web browsing) while
    tunneled in. Not so... syslog revealed messages that look like
    "Deny inbound (No xlate) tcp outside:ip/port dst outside:ip/port".
    I understand that while the PIX received the packet on the outside
    interface and based on the destination address, it needed to turn
    it around and send it back out the same outside interface, it
    considered that to be some form of security breach and just dropped
    it.. but I would've thought that given the packet came from a
    tunnel, it should've been considered to be originating from the
    inside.. is this correct? I must have some mis-configuration. I
    know you can do this with other fw/vpn products.

    Thanks in advance for all your help.

    LM.
    LM, Dec 26, 2003
    #1
    1. Advertising

  2. LM

    Rik Bain Guest

    On Fri, 26 Dec 2003 08:12:59 -0600, LM wrote:

    > I've got a PIX515 running code 6.3.3. I set up PPTP-based VPN and was
    > able to tunnel in from (outside) interface just fine using w2k built-in
    > PPTP client. however, I have 2 problems which I hope someone can help
    > explain.
    >
    > 1) I was able to ping a device on the (inside) interface, but not
    > the PIX's inside interface IP. No syslog message was observed. "debug
    > icmp trace" showed icmp request received from outside and destination
    > address got tranlated via a NAT 0 (identity). Question: is this
    > normal behaviour? or I am missing some config?
    >


    normal behavior.


    > 2) the (outside) interface on the PIX leads to the internet (Note:
    > I was tunneling in on the (outside) interface). I would've expected
    > to be able accesss the internet (eg. web browsing) while tunneled in.
    > Not so... syslog revealed messages that look like "Deny inbound (No
    > xlate) tcp outside:ip/port dst outside:ip/port". I understand that
    > while the PIX received the packet on the outside interface and based
    > on the destination address, it needed to turn it around and send it
    > back out the same outside interface, it considered that to be some
    > form of security breach and just dropped it.. but I would've thought
    > that given the packet came from a tunnel, it should've been
    > considered to be originating from the inside.. is this correct? I
    > must have some mis-configuration. I know you can do this with other
    > fw/vpn products.
    >


    This is default behavior with current pix code. Packets will not be
    re-routed out of the interface they arrive on.


    > Thanks in advance for all your help.
    >
    > LM.
    Rik Bain, Dec 26, 2003
    #2
    1. Advertising

  3. LM

    Kirk Goins Guest

    I just did a test cfg for PPTP on my pix and what i was looking for
    wasn't there at least via PDM. If you use the Cisco Client there is an
    option to "Split Tunnel". What this does is route encrypted traffic via
    the VPN and traffic not bound for those addresses ( internet traffic )to
    not use the tunnel.

    LM wrote:

    > 2) the (outside) interface on the PIX leads to the internet (Note:
    > I was tunneling in on the (outside) interface). I would've
    > expected to be able accesss the internet (eg. web browsing) while
    > tunneled in. Not so... syslog revealed messages that look like
    > "Deny inbound (No xlate) tcp outside:ip/port dst outside:ip/port".
    > I understand that while the PIX received the packet on the outside
    > interface and based on the destination address, it needed to turn
    > it around and send it back out the same outside interface, it
    > considered that to be some form of security breach and just dropped
    > it.. but I would've thought that given the packet came from a
    > tunnel, it should've been considered to be originating from the
    > inside.. is this correct? I must have some mis-configuration. I
    > know you can do this with other fw/vpn products.
    >
    > Thanks in advance for all your help.
    >
    > LM.
    Kirk Goins, Dec 26, 2003
    #3
  4. LM

    PES Guest

    "LM" <> wrote in message
    news:...
    > I've got a PIX515 running code 6.3.3. I set up PPTP-based VPN
    > and was able to tunnel in from (outside) interface just fine
    > using w2k built-in PPTP client. however, I have 2 problems
    > which I hope someone can help explain.
    >
    > 1) I was able to ping a device on the (inside) interface, but not
    > the PIX's inside interface IP. No syslog message was observed.
    > "debug icmp trace" showed icmp request received from outside
    > and destination address got tranlated via a NAT 0 (identity).
    > Question: is this normal behaviour? or I am missing some
    > config?


    by design

    > 2) the (outside) interface on the PIX leads to the internet (Note:
    > I was tunneling in on the (outside) interface). I would've
    > expected to be able accesss the internet (eg. web browsing) while
    > tunneled in. Not so... syslog revealed messages that look like
    > "Deny inbound (No xlate) tcp outside:ip/port dst outside:ip/port".
    > I understand that while the PIX received the packet on the outside
    > interface and based on the destination address, it needed to turn
    > it around and send it back out the same outside interface, it
    > considered that to be some form of security breach and just dropped
    > it.. but I would've thought that given the packet came from a
    > tunnel, it should've been considered to be originating from the
    > inside.. is this correct? I must have some mis-configuration. I
    > know you can do this with other fw/vpn products.


    If you do a route print, you will see that the default gateway is the pptp
    interface. If you set your pptp dialer to not use it as the default gateway
    and then manaully add routes into your client using route add statements
    from dos prompt all will work. The actual vpn client works differently and
    split tunnelling is required.

    >
    > Thanks in advance for all your help.
    >
    > LM.
    PES, Dec 26, 2003
    #4
  5. LM

    LM Guest

    Thanks for all your help.

    On Fri, 26 Dec 2003 14:55:26 -0500, "PES"
    <NO*SPAMpestewartREMOVE**SUCKS> wrote:

    >
    >"LM" <> wrote in message
    >news:...
    >> I've got a PIX515 running code 6.3.3. I set up PPTP-based VPN
    >> and was able to tunnel in from (outside) interface just fine
    >> using w2k built-in PPTP client. however, I have 2 problems
    >> which I hope someone can help explain.
    >>
    >> 1) I was able to ping a device on the (inside) interface, but not
    >> the PIX's inside interface IP. No syslog message was observed.
    >> "debug icmp trace" showed icmp request received from outside
    >> and destination address got tranlated via a NAT 0 (identity).
    >> Question: is this normal behaviour? or I am missing some
    >> config?

    >
    >by design
    >
    >> 2) the (outside) interface on the PIX leads to the internet (Note:
    >> I was tunneling in on the (outside) interface). I would've
    >> expected to be able accesss the internet (eg. web browsing) while
    >> tunneled in. Not so... syslog revealed messages that look like
    >> "Deny inbound (No xlate) tcp outside:ip/port dst outside:ip/port".
    >> I understand that while the PIX received the packet on the outside
    >> interface and based on the destination address, it needed to turn
    >> it around and send it back out the same outside interface, it
    >> considered that to be some form of security breach and just dropped
    >> it.. but I would've thought that given the packet came from a
    >> tunnel, it should've been considered to be originating from the
    >> inside.. is this correct? I must have some mis-configuration. I
    >> know you can do this with other fw/vpn products.

    >
    >If you do a route print, you will see that the default gateway is the pptp
    >interface. If you set your pptp dialer to not use it as the default gateway
    >and then manaully add routes into your client using route add statements
    >from dos prompt all will work. The actual vpn client works differently and
    >split tunnelling is required.
    >
    >>
    >> Thanks in advance for all your help.
    >>
    >> LM.

    >
    LM, Dec 28, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    583
    Richard
    Nov 15, 2003
  2. Remco Bressers
    Replies:
    1
    Views:
    493
    Jyri Korhonen
    Nov 21, 2003
  3. Bill F
    Replies:
    1
    Views:
    417
    Walter Roberson
    Nov 25, 2003
  4. GVB
    Replies:
    1
    Views:
    2,749
    Martin Bilgrav
    Feb 6, 2004
  5. AlanP
    Replies:
    3
    Views:
    915
    Mirek
    Apr 7, 2004
Loading...

Share This Page