Route Based VPN with Cisco PIX

PashPash Member Posts: 1,600 ■■■■■□□□□□
in CCNP Security
Sorry guys, I may have overlooked this completely. But is it possible to specify route based VPN on PIX. As in, i have a destination network i want to reach at one site, but i want all of this traffic to be routed through a specific VPN link.

Thanks,
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
· Share on FacebookShare on Twitter

Comments

  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    That is accomplished based on the ACL you're using in the crypto map statements, when the PIX receives traffic from a permitted network in the ACL going to a permitted network in the ACL then it is encrypted and sent to the coresponding peer.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    dtlokee wrote:
    That is accomplished based on the ACL you're using in the crypto map statements, when the PIX receives traffic from a permitted network in the ACL going to a permitted network in the ACL then it is encrypted and sent to the coresponding peer.

    Thanks dt, im checking the crypto maps now, our VPN termination is at our specified peer. But the destination network is at a different site completely, the end point for the VPN knows about the other network, so im working out how to make sure all traffic for this site go's through the VPN.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
    · Share on FacebookShare on Twitter
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    All you need to do is route the traffic out the interface you have the correct Crypto map applied to, add ACE's for the destination subnet to it's Match Address list and that's it for the PIX. Any routing from the other side to the remote network has to be done on their devices (best practice forces routers not to accept explicitly routed packets (sorry can't remember the exact term, but where the packet tries to force itself along a certain route and not abide by the Router's own table)).

    So if you were trying to reach 192.168.100.0/24 on a VPN that terminated on the outside interface which in turn has a default gateway of 100.100.100.1 it'd be something like
    Internal route 192.168.100.0/24 to your PIX inside interface

    Now route the traffic to the outside:
    route outside 192.168.100.0 255.255.255.0 100.100.100.1

    Create (or add to) an ACL to define intersting traffic:
    access-list vpn-somewhereovertherainbow permit ip any 192.168.100.0 255.255.255.0

    Create a crypto-map (if you are doing a new tunnel) with the interesting traffic applied:
    crypto map vpn-outside 10 match address vpn-somewhereovertherainbow
    (rest of crypto map)

    If you are going to keep the IP addressing intact add 192.168.100.0/255.25.255.0 to your NAT 0 ACL


    If you are working with multiple subnets allowed to and as the destinations on a tunnel I find it handy to work with object groups and use these inside the ACLs. One big advantage is that you can use one object-group in both your interesting traffic and NAT access lists without messing up PDM access (you can't use one access list for 2 functions and run the GUI...). Also handy if you have strict Egress rules so you can definite exactly which private subnets should be seen on the interfaces with just a few object groups rather than a big list. lastly when you change your object group you automatically change all associated access lists.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Ahriakin, huge thanks!

    I love these forums, i found a good link as well from cisco white papers regarding configuring crypto maps, as well as the white papers from juniper, because this isnt pix to pix, this is pix to netscreen. I will paste the links when im at work later!

    http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html

    Thanks again mate.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
    · Share on FacebookShare on Twitter
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config

    The no-xauth and no-config tags were required on the phase1 config line here. I assume because its not turned on, on the netscreen side.

    Seems to all work now.

    Cheers again,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
    · Share on FacebookShare on Twitter
  • jassoerickjassoerick Member Posts: 1 ■□□□□□□□□□
    Pash wrote:
    Sorry guys, I may have overlooked this completely. But is it possible to specify route based VPN on PIX. As in, i have a destination network i want to reach at one site, but i want all of this traffic to be routed through a specific VPN link.

    Thanks,


    Well I am also working on this too. I have started a new project on the same. When you get that how to route the traffic through a VPN link. Then please do let me know. I will very much thankful to you.
    ==============================
    jasso
    http://www.minutetraders.com
    · Share on FacebookShare on Twitter
Sign In or Register to comment.