|
Posted by Rob on August 2, 2006, 11:47 am
If you were Registered and logged in, you could reply and use other advanced thread options
Company has a pix 501E, I have a linux filter installed now too. Separate
gateways, separate IP's on the outside, same ISP.
Currently, the pix is only used for vpn tunnels and exchange and the DHCP
gives the network the gateway for the ipcop box. Thus filtering all of the
internet usage etc.
What I need to know is can the pix be used as the primary gateway, and can
the pix forward all internet requests to the ipcop box.
If it can be done, anybody know how?
I know the ipcop is full function, but the company has bought the pix unit,
it's in production handling 4 vpn's and 20 vpn clients. They do not want to
remove it.
Thanks. Rob
|
|
Posted by Walter Roberson on August 2, 2006, 12:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>Company has a pix 501E, I have a linux filter installed now too. Separate
>gateways, separate IP's on the outside, same ISP.
>What I need to know is can the pix be used as the primary gateway, and can
>the pix forward all internet requests to the ipcop box.
You can use a route command to send all traffic for your inside nets
to a particular destination. For that to work, the destination IP must
be part of the same subnet as the PIX inside interface; and if
you want the combination to be handling "all internet requests" then
the inside interface subnet could not match the routed subnet.
For example,
ip address inside 192.168.255.253 255.255.255.252
route inside 192.168.1.0 255.255.255.0 192.168.255.254
where 192.168.255.254 was the IP assigned to the outside interface
of the ipcop box that was handling traffic for the 192.168.1/24
inside subnet. The ipcop box would have to be passing the outbound
traffic along to the PIX with 192.168.1/24 source IPs.
|
|
Posted by Rob on August 2, 2006, 12:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
of 192.168.1.251. They are
separate pipes out of the network on the same subnet and they have different
public ip's.
I want the pix to handle exchange and the vpn's alone, and forward
everything else (http, ftp, https etc)
over to the ipcop box. I need a sample command to go by as I can't find it
anywhere.
The head office internal network cannot see the other networks thru the vpn
tunnels as the pix is not the
gateway for the main network. The Ipcop was put in place as a test to see
what the capabilities are and it
works very well but has difficulties in addressing static routes. Basically,
if I try to RDP into one of the
remote workstations using the ipcop gateway, the ip doesn't exist cause
there's no static routes involved.
If I can address the problem with the ipcop, then I wouldn't need to use the
pix as the gateway at all, but
it would still be preferred.
> >Company has a pix 501E, I have a linux filter installed now too. Separate
> >gateways, separate IP's on the outside, same ISP.
>
> >What I need to know is can the pix be used as the primary gateway, and
can
> >the pix forward all internet requests to the ipcop box.
>
> You can use a route command to send all traffic for your inside nets
> to a particular destination. For that to work, the destination IP must
> be part of the same subnet as the PIX inside interface; and if
> you want the combination to be handling "all internet requests" then
> the inside interface subnet could not match the routed subnet.
>
> For example,
>
> ip address inside 192.168.255.253 255.255.255.252
> route inside 192.168.1.0 255.255.255.0 192.168.255.254
>
> where 192.168.255.254 was the IP assigned to the outside interface
> of the ipcop box that was handling traffic for the 192.168.1/24
> inside subnet. The ipcop box would have to be passing the outbound
> traffic along to the PIX with 192.168.1/24 source IPs.
>
|
|
Posted by Walter Roberson on August 2, 2006, 1:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options >Basically what I have is a pix gateway of 192.168.1.1 and the ipcop gateway
>of 192.168.1.251. They are
>separate pipes out of the network on the same subnet and they have different
>public ip's.
Okay.
>I want the pix to handle exchange and the vpn's alone, and forward
>everything else (http, ftp, https etc)
>over to the ipcop box. I need a sample command to go by as I can't find it
>anywhere.
Your earlier request was to forward *all* the internet traffic to the
ipcop box, and I took that to mean that any incoming VPN traffic
should go to the ipcop box after being decapsulated. The route
solution I gave works for that scenario.
If you want VPN traffic to arrive, be decapsulated, and be exempt
from going to the ipcop box, even when the internal destination
is the same as for some of the traffic handled by the ipcop box,
then that's a problem. If, though, the ipcop box is doing NAT
and the VPN tunnels can be expressed in terms of the "raw" IP
addresses, then you can route the NAT'd IPs to the ipcop box and
have the "raw" IPs go directly (or to a different internal router.)
If, though, you want to be able to distinguish based upon protocol
(good luck characterising exactly what protocols Exchange uses though),
with some protocols going directly and the rest going via the ipcop box,
then you cannot directly use the "route" solution, because the PIX 501
does not support policy-based routing [PBR] (the other PIX models aren't
exactly marvels at PBR either.] In such a case you would have to combine
static PAT and different IP ranges with NAT on the ipcop box, so that
after the static PAT step the apparent destination IP range would differ
for the two cases. The PIX 501 can route based upon destination IP but
not source IP and not protocol or port. (It can NAT differently based upon
source IP or protocol or source or destination port though.)
>if I try to RDP into one of the
>remote workstations using the ipcop gateway, the ip doesn't exist cause
>there's no static routes involved.
In my route and differential NAT solutions above, I did not deal with
the problem of reply packets and how they travel back via the ipcop
box or skip the box as appropriate. I do not, though, know what the
capabilities are of ipcop, and I am not certain quite yet about
how you want different traffic types to be handled.
|
| Similar Threads | Posted | | Multiple ISPs and gateways with a PIX 525? | February 20, 2007, 2:58 pm |
| multiple internet gateways | March 18, 2008, 8:50 pm |
| Does Cisco 1760 Series Router Support Multiple Gateways? | May 16, 2008, 11:33 am |
| default gateways for vpn | October 7, 2005, 4:03 pm |
| Default Gateways... | November 26, 2005, 5:57 am |
| 1 router , 2 gateways | June 7, 2006, 10:47 am |
| Problem with router and gateways | October 30, 2006, 11:59 am |
| Best practice for routing to 2 different gateways | March 20, 2007, 9:47 am |
| BGP load sharing with 2 default gateways | November 29, 2005, 10:04 pm |
| BGP load sharing with 2 default gateways | November 29, 2005, 10:07 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map