> > > -------- Forwarded Message -------- > > From: Simon Hobson <[EMAIL PROTECTED]> > > Reply-To: Shorewall Users <[email protected]> > > To: Shorewall Users <[email protected]> > > Subject: Re: [Shorewall-users] Help with routing VPN tunnel traffic > > across zones > > Date: Thu, 21 Jun 2007 11:21:23 +0100 > > > > Night Eagle wrote: > > > > >I am experiencing an intersting problem with my shorewall router/firewall > > >and > > >I'm hoping someone here might be able to help me diagnose and fix the > > >problem. > > > > > >I have a mostly normal setup: a linux computer running shorewall > > >(v3.4.3) that > > >has three interfaces. The three interfaces correspond to net (eth5), > > >dmz (eth4), > > >and lan (eth2) zones. > > >The lan zone can connect to dmz and net. dmz can only connect to net. > > >This > > >all works great thanks to shorewall. > > > > > >The wrinkle is that we have a Cisco PIX for VPN access to the lan zone from > > >outside the firewall. Problem is that clients connecting through that > > >device can only access the lan zone, not the dmz zone. > > > > > >The external interface of the PIX is in the dmz zone (10.0.1.2/24), > > >and accessible > > >from the net via a set of DNAT rules. The internal interface of the > > >PIX is in the > > >lan zone (192.168.1.4/24), so when a client connects, they are > > >tunnelled through > > >and appear to be another client in the lan zone, albeit with an > > >address for a different network. > > > > > > A couple of thoughts that come to mind. > > > > 1) What policies are set on the Pix ? Do they correctly send DMZ > > traffic from the clients via the VPN tunnel ? Do they allow the > > traffic through at the Pix end ? > > > > 2) You are trying to access IPs via the VPN that are in the same > > subnet as the Pix external interface, does the Pix try and route > > these directly itself ? That would seem a logical thing to expect, > > after all it isn't normal to route packets to a locally connected > > subnet via a different gateway. > > > > > > Before getting too bogged down at the Shorewall end, have you checked > > that the packets are actually reaching the Shorewall machine ? Get > > out your favourite packet sniffer (I use wireshark) and see if you > > actually see packets coming out of the Pix internal interface that > > are destined for the DMZ.
I think you are on to something here suggesting it might be PIX mal-configuration. Wouldn't surprise me at all as that device is very unintuitive to configure - that is one of the main reasons we have replaced it with Shorewall as our firewall. Unfortunately we still need to keep it around to serve the VPN role. I think policy-wise the PIX is OK, No problem for clients to connect through and access the entire lan zone without problems. I've reviewed the PIX config and I am not seeing any place where the default gateway is being given to those 192.168.2.X VPN clients, so I'm thinking that is the problem. Since deploying Shorewall, our network has grown from a single lan segment to now a lan zone and dmz zone. The PIX VPN clients seems to be just fine for a single segment without a default gateway. With our multiple zones and assocated networks, I think the PIX needs to specify a default gateway == shorewall. I'm going to try a few ideas down this path when I get to that site tomorrow, and will do some sniffing as well if a solution does not quickly present itself. Thanks for your assistance -- much appreciated! ~Jimmy ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
