[fw-wiz] VPN/DMZ problem - Firewalls

This is a discussion on [fw-wiz] VPN/DMZ problem - Firewalls ; Hi, We're having a problem with our VPN; we have a PIX 515E with 4 interfaces: Inside (security100) - Our internal LAN, 150.150.10.0/24 Outside (security0) - The Internet Perimeter (security50) - DMZ, 172.16.1.0/24 Innerperimeter (security75) - "Inner" DMZ, 150.150.11.0/24 The ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [fw-wiz] VPN/DMZ problem

  1. [fw-wiz] VPN/DMZ problem

    Hi,

    We're having a problem with our VPN; we have a PIX 515E with 4
    interfaces:

    Inside (security100) - Our internal LAN, 150.150.10.0/24
    Outside (security0) - The Internet
    Perimeter (security50) - DMZ, 172.16.1.0/24
    Innerperimeter (security75) - "Inner" DMZ, 150.150.11.0/24

    The VPN is a certificate/token-based set up, with VPN users being
    assigned addresses from 150.150.62.0/24 (don't ask me about the weird
    addressing scheme; it was like that when I got here).

    The problem we're having is that VPN users can't access hosts in either
    of the DMZs, although they can see LAN hosts just fine. I'm assuming
    that this is because the VPN traffic is coming in through the PIX's
    "outside" interface, and the usual rule about traffic from interfaces
    with a lower security level going to an interface with a higher one is
    applying.

    I've tried to override this with another access list, by "nat 0"-ing
    the two DMZ interfaces, but external VPN users still can't see hosts in
    the DMZs. Obviously I'm screwing up somewhere, but I'd be very grateful
    if someone could tell me how.

    Ta,
    IR.


    ************************************************** *****************
    Private and Confidential: This e-mail transmission is strictly
    confidential and intended solely for the addressee. It may contain
    privileged and confidential information and if you are not the
    intended recipient, you must not copy, disclose, distribute or
    take any action in reliance on it. If you have received this
    e-mail in error, please delete it and notify our E-mail Systems
    Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not
    accept any liability for any harm that may be caused to the
    recipient's system or data by this message or any attachment.

    ESPC (UK) Ltd is a company registered under the Companies
    Acts in Scotland (Registered Number SC203535), and having its
    registered office at 90A George Street, Edinburgh, Midlothian
    EH2 3DF.

    ESPC (UK) Limited is authorised and regulated by the Financial
    Services Authority.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  2. Re: [fw-wiz] VPN/DMZ problem

    Ian,

    If you can get to the LAN resources and not to the DMZ resources, you
    would need to check on :

    1) Split tunneling : DMZ subnets should be allowed.
    2) NAT 0 statement should be configured for traffic between DMZ and pool IP
    3) Make sure there is a return route on the destination ( jus to
    check...i understand that the default gateway on the DMZ devices would
    be the PIX interface)
    4) Check your machine's routing table for any static routes for the
    destination subnets conflicting.

    Pointers to troubleshoot:
    * Atter connecting the VPN, send continuous ping to the DMZ
    destination. Check on the VPN clients statistics if the packets are
    getting encrypted. If you donot see the encrypted packets increasing,
    then you have a local issue. It is either with split tunneling subnet
    or a route on your local PC. If you can see encrypted count incresing
    ....then the next step would be to check on the PIX. Running wireshark
    on the virtual adapter will be useful as well.

    * do a sh crypto ipsec sa on the PIX. Check if you see traffic
    decrypting. If there is an issue with return route, you would see
    decrypts but no encrypts !

    * You can run the command ' man- command. By doing
    this you can ping the PIX DMZ interface itself and troueblshoot.Thsi
    will isolate issue with the return route etc on the destination
    network. ( eg: your case it would be man-Perimeter )

    Hope this helps. Let me know the results and we will take next
    actions(fi needed)

    Thanks,
    Adi

    On Thu, Sep 4, 2008 at 10:37 AM, Christopher J. Wargaski
    wrote:
    > Hey Ian--
    >
    > Are you using split-tunneling with the VPN? If so, make sure that the ACL
    > permits the DMZ.
    >
    > On Tue, Sep 2, 2008 at 5:06 AM, Ian Rarity wrote:
    >>
    >> Hi,
    >>
    >> We're having a problem with our VPN; we have a PIX 515E with 4
    >> interfaces:
    >>
    >> Inside (security100) - Our internal LAN, 150.150.10.0/24
    >> Outside (security0) - The Internet
    >> Perimeter (security50) - DMZ, 172.16.1.0/24
    >> Innerperimeter (security75) - "Inner" DMZ, 150.150.11.0/24
    >>
    >> The VPN is a certificate/token-based set up, with VPN users being
    >> assigned addresses from 150.150.62.0/24 (don't ask me about the weird
    >> addressing scheme; it was like that when I got here).
    >>
    >> The problem we're having is that VPN users can't access hosts in either
    >> of the DMZs, although they can see LAN hosts just fine. I'm assuming
    >> that this is because the VPN traffic is coming in through the PIX's
    >> "outside" interface, and the usual rule about traffic from interfaces
    >> with a lower security level going to an interface with a higher one is
    >> applying.
    >>
    >> I've tried to override this with another access list, by "nat 0"-ing
    >> the two DMZ interfaces, but external VPN users still can't see hosts in
    >> the DMZs. Obviously I'm screwing up somewhere, but I'd be very grateful
    >> if someone could tell me how.
    >>
    >> Ta,
    >> IR.
    >>
    >>
    >> ************************************************** *****************
    >> Private and Confidential: This e-mail transmission is strictly
    >> confidential and intended solely for the addressee. It may contain
    >> privileged and confidential information and if you are not the
    >> intended recipient, you must not copy, disclose, distribute or
    >> take any action in reliance on it. If you have received this
    >> e-mail in error, please delete it and notify our E-mail Systems
    >> Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not
    >> accept any liability for any harm that may be caused to the
    >> recipient's system or data by this message or any attachment.
    >>
    >> ESPC (UK) Ltd is a company registered under the Companies
    >> Acts in Scotland (Registered Number SC203535), and having its
    >> registered office at 90A George Street, Edinburgh, Midlothian
    >> EH2 3DF.
    >>
    >> ESPC (UK) Limited is authorised and regulated by the Financial
    >> Services Authority.
    >> _______________________________________________
    >> firewall-wizards mailing list
    >> firewall-wizards@listserv.icsalabs.com
    >> https://listserv.icsalabs.com/mailma...rewall-wizards

    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@listserv.icsalabs.com
    > https://listserv.icsalabs.com/mailma...rewall-wizards
    >
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  3. Re: [fw-wiz] VPN/DMZ problem



    Yep, that was it. The VPN split-tunnel uses a different ACL, which I'd
    forgotten to update. Everything's working now; thanks for responding.

    Ta,
    IR.

    *********************************
    Ian Rarity
    Technical Engineer
    ESPC (UK) Ltd.
    T: (44)131 624 8000
    F: (44)131 624 8509
    http://www.espc.com ( http://www.espc.com/ )

    >>> "Christopher J. Wargaski" 04/09/2008 06:07 >>>

    Hey Ian--

    Are you using split-tunneling with the VPN? If so, make sure that
    the ACL
    permits the DMZ.




    ************************************************** *****************
    Private and Confidential: This e-mail transmission is strictly
    confidential and intended solely for the addressee. It may contain
    privileged and confidential information and if you are not the
    intended recipient, you must not copy, disclose, distribute or
    take any action in reliance on it. If you have received this
    e-mail in error, please delete it and notify our E-mail Systems
    Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not
    accept any liability for any harm that may be caused to the
    recipient's system or data by this message or any attachment.

    ESPC (UK) Ltd is a company registered under the Companies
    Acts in Scotland (Registered Number SC203535), and having its
    registered office at 90A George Street, Edinburgh, Midlothian
    EH2 3DF.

    ESPC (UK) Limited is authorised and regulated by the Financial
    Services Authority.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


+ Reply to Thread