[THIN] Fwd: Re: WHY
- From: "Berny Stapleton" <berny@xxxxxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Wed, 30 Apr 2008 17:07:39 +0100
Subnet masks? 10.x..x.x in classful routing is 255.0.0.0 and I doubt that's
the subnet mask you are using....
P.S. Is everyone getting bounce messages from freelists?
2008/4/30 Chad Schneider (IT) <Chad.M.Schneider@xxxxxxxxxxxxx>:
> Clients are given an IP from a pool. The pool is a group of addresses,
> on the same subnet as the gateway. The default gateway for the IP's given,
> is in fact the gateway itself, INT1 (internal network).
>
> IP given are 10.1.X.X
> Default Gateway is the Access Gateway
> Access Gateway is 10.1.X.X
>
> We do have static routes listed.
>
> Destination Gateway
> 172.16.X.X 10.1.X.X
> 192.168.X.X 10.1.X.X
> 10.0.0.0 10.1.X.X
>
>
>
>
>
>
> Chad Schneider
> Systems Engineer
> ThedaCare IT
> 920-735-7615
>
> >>> On 4/30/2008 at 10:03 AM, <joe.shonk@xxxxxxxxx> wrote:
>
> Well, what IP/Gateway is the client using on the Internal Network? Sounds
> like a routing configuration issue.
>
>
>
> Joe
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Andrew Wood
> *Sent:* Wednesday, April 30, 2008 7:49 AM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: WHY
>
>
>
> Here is a beautiful text representation of how I see it
>
>
>
> Tunnel to cag internal network
>
> Me =========== CAG -------------------- INTERNAL
>
>
>
> If I setup an ipsec vpn connection to my network via a VPN (cag) I don't
> want that VPN to route external traffic out, I don't want it to make that
> decision: I want all traffic from my endpoint channelled through the tunnel
> to the VPN, and onto the internal network (rules permitting). At a base
> level its inefficient – whats the point in sending it though the tunnel if
> it is meant to be external?
>
>
>
> Maybe I elect to only perform **some** tunnelling – in which case external
> traffic goes out from 'Me' and never goes through the tunnel (i.e. split
> tunnelling – and at this point my network security chappie has a heart
> attack). But, if traffic goes through the tunnel it comes out on the
> internal network (rules permitting) - the CAG isn't responsible for deciding
> if network traffic that comes through the tunnel should just be routed out
> directly onto the web.
>
>
>
>
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Berny Stapleton
> *Sent:* 30 April 2008 14:57
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: WHY
>
>
>
> But the CAG wouldn't see the packet come into the internal interface as
> it's not coming across the wire of the ethernet interface, so why should it
> consider it internal traffic?
>
> 2008/4/30 Andrew Wood <andrew.wood@xxxxxxxxxxxxxxxx>:
>
>
>
> I'd have thought that if the routing address on your internal interface
> was correct, that all traffic going through the CAG should head through the
> internal interface – and then be routed out through the normal channels for
> internal network traffic to the internet (which is unlikely to be the CAG)
>
>
>
> Otherwise, someone connecting on the external interface is being routed
> straight out onto the web – bypassing any filters/caching/auditing/scanning
> that you've got set up.
>
>
>
> This doesn't help Chad mind – other than agreeing with him that whats
> happening sounds wrong
>
>
>
> a.
>
>
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Berny Stapleton
> *Sent:* 30 April 2008 14:26
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: WHY
>
>
>
> OK, maybe this is just me and my limited experience with CAG...
>
> A VPN session which I presume is a connection from the internet (External)
> to the CAG, the CAG being a gateway device between external internet and
> internal network, when you bring up a VPN session, or in this case I presume
> IPSEC policy between the two devices (Client PC and the CAG) which would
> give you a IPSEC policy to the CAG and any traffic you send to it through
> the IPSEC policy would end up on it's local routing table. At which point it
> has to make a routing decision about where to send the traffic, it's an
> external address so therefore it would send it to the external interface and
> therefore external address.
>
> That seems logical to me. My question to you is, unless the destination
> address is the internal network, why SHOULD it send it via the internal
> interface? My only educated guess on this one is that you used part of your
> INTERNAL address space for the addresses you assigned to the CAG for it to
> hand out to clients, when as far as I can see, the clients should have been
> treated or thought of as DMZ interfaces / connections.
>
> This is just what I am thinking about having done firewall admin before.
>
> If I am wrong on this one, and completley off base, please let me know, my
> experiece with CAG is limited.
>
> Berny
>
> 2008/4/30 Chad Schneider (IT) <Chad.M.Schneider@xxxxxxxxxxxxx>:
>
> Does a VPN session to the CAG, route external bound internet traffic
> through the CAG external interface, rather than through the CAG Internal
> interface?
>
>
>
> I am watching the traffic, from our CAG internal IP range, when making a
> request to google.com, the traffic goes out the CAG INT0(External).
>
>
>
>
>
> Chad Schneider
> Systems Engineer
> ThedaCare IT
> 920-735-7615
>
>
>
>
>
>
>
Other related posts:
