>
> > -------- Forwarded Message --------
> > From: Simon Hobson <linux@thehobsons.co.uk>
> > Reply-To: Shorewall Users
<shorewall-users@lists.sourceforge.net>
> > To: Shorewall Users <shorewall-users@lists.sourceforge.net>
> > Subject: Re: [Shorewall-users] Help with routing VPN tunnel traffic
> > across zones
> > Date: Thu, 21 Jun 2007 11:21:23 +0100
> >
> > Night Eagle wrote:
> >
> > >I am experiencing an intersting problem with my shorewall
router/firewall and
> > >I''m hoping someone here might be able to help me diagnose
and fix the problem.
> > >
> > >I have a mostly normal setup: a linux computer running shorewall
> > >(v3.4.3) that
> > >has three interfaces. The three interfaces correspond to net
(eth5),
> > >dmz (eth4),
> > >and lan (eth2) zones.
> > >The lan zone can connect to dmz and net. dmz can only connect to
net. This
> > >all works great thanks to shorewall.
> > >
> > >The wrinkle is that we have a Cisco PIX for VPN access to the lan
zone from
> > >outside the firewall. Problem is that clients connecting through
that
> > >device can only access the lan zone, not the dmz zone.
> > >
> > >The external interface of the PIX is in the dmz zone
(10.0.1.2/24),
> > >and accessible
> > >from the net via a set of DNAT rules. The internal interface of
the
> > >PIX is in the
> > >lan zone (192.168.1.4/24), so when a client connects, they are
> > >tunnelled through
> > >and appear to be another client in the lan zone, albeit with an
> > >address for a different network.
> >
> >
> > A couple of thoughts that come to mind.
> >
> > 1) What policies are set on the Pix ? Do they correctly send DMZ
> > traffic from the clients via the VPN tunnel ? Do they allow the
> > traffic through at the Pix end ?
> >
> > 2) You are trying to access IPs via the VPN that are in the same
> > subnet as the Pix external interface, does the Pix try and route
> > these directly itself ? That would seem a logical thing to expect,
> > after all it isn''t normal to route packets to a locally
connected
> > subnet via a different gateway.
> >
> >
> > Before getting too bogged down at the Shorewall end, have you checked
> > that the packets are actually reaching the Shorewall machine ? Get
> > out your favourite packet sniffer (I use wireshark) and see if you
> > actually see packets coming out of the Pix internal interface that
> > are destined for the DMZ.
I think you are on to something here suggesting it might be PIX
mal-configuration. Wouldn''t surprise me at all as that device is very
unintuitive to configure - that is one of the main reasons we have
replaced it with Shorewall as our firewall. Unfortunately we still need
to keep it around to serve the VPN role.
I think policy-wise the PIX is OK, No problem for clients to connect
through and access the entire lan zone without problems. I''ve reviewed
the PIX config and I am not seeing any place where the default gateway
is being given to those 192.168.2.X VPN clients, so I''m thinking that
is the problem. Since deploying Shorewall, our network has grown from
a single lan segment to now a lan zone and dmz zone. The PIX VPN
clients seems to be just fine for a single segment without a default
gateway. With our multiple zones and assocated networks, I think the
PIX needs to specify a default gateway == shorewall.
I''m going to try a few ideas down this path when I get to that site
tomorrow, and will do some sniffing as well if a solution does not
quickly present itself.
Thanks for your assistance -- much appreciated!
~Jimmy
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/