[THIN] Re: WHY

Forgot to note, static routes all go through ETH1 (Internal).
 
Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615

>>> On 4/30/2008 at 10:12 AM, <CMS0914@xxxxxxxxxxxxx> wrote:
Clients are given an IP from a pool.  The pool is a group of addresses,
on the same subnet as the gateway.  The default gateway for the IP's
given, is in fact the gateway itself, INT1 (internal network).
 
IP given are 10.1.X.X
Default Gateway is the Access Gateway
Access Gateway is 10.1.X.X
 
We do have static routes listed.
 
Destination    Gateway
172.16.X.X    10.1.X.X
192.168.X.X   10.1.X.X
10.0.0.0           10.1.X.X
 
 
 
 
 
 
Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615

>>> On 4/30/2008 at 10:03 AM, <joe.shonk@xxxxxxxxx> wrote:

Well, what IP/Gateway is the client using on the Internal Network? 
Sounds like a routing configuration issue.
 
Joe
 


From:thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew Wood
Sent: Wednesday, April 30, 2008 7:49 AM
To: thin@xxxxxxxxxxxxx 
Subject: [THIN] Re: WHY

 
Here is a beautiful text representation of how I see it
 
   Tunnel to cag      internal network
Me =========== CAG -------------------- INTERNAL
 
If I setup an ipsec vpn connection to my network via a VPN (cag) I
don’t want that VPN to route external traffic out, I don’t want it to
make that decision: I want all traffic from my endpoint channelled
through the tunnel to the VPN, and onto the internal network (rules
permitting). At a base level its inefficient – whats the point in
sending it though the tunnel if it is meant to be external? 
 
Maybe I elect to only perform *some* tunnelling – in which case
external traffic goes out from ‘Me’ and never goes through the tunnel
(i.e. split tunnelling – and at this point my network security chappie
has a heart attack). But, if traffic goes through the tunnel it comes
out on the internal network (rules permitting) - the CAG isn’t
responsible for deciding if network traffic that comes through the
tunnel should just be routed out directly onto the web.
 
 
From:thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Berny Stapleton
Sent: 30 April 2008 14:57
To: thin@xxxxxxxxxxxxx 
Subject: [THIN] Re: WHY

 

But the CAG wouldn't see the packet come into the internal interface as
it's not coming across the wire of the ethernet interface, so why should
it consider it internal traffic?

2008/4/30 Andrew Wood <andrew.wood@xxxxxxxxxxxxxxxx>:



 

I'd have thought that if the routing address on your internal interface
was correct,  that all traffic going through the CAG should head through
the internal interface – and then be routed out through the normal
channels for internal network traffic to the internet (which is unlikely
to be the CAG)
 
Otherwise, someone connecting on the external interface is being routed
straight out onto the web – bypassing any
filters/caching/auditing/scanning that you've got set up.
 
This doesn't help Chad mind – other than agreeing with him that whats
happening sounds wrong 
 
a.
 
From:thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Berny Stapleton
Sent: 30 April 2008 14:26
To: thin@xxxxxxxxxxxxx 
Subject: [THIN] Re: WHY

 
OK, maybe this is just me and my limited experience with CAG...

A VPN session which I presume is a connection from the internet
(External) to the CAG, the CAG being a gateway device between external
internet and internal network, when you bring up a VPN session, or in
this case I presume IPSEC policy between the two devices (Client PC and
the CAG) which would give you a IPSEC policy to the CAG and any traffic
you send to it through the IPSEC policy would end up on it's local
routing table. At which point it has to make a routing decision about
where to send the traffic, it's an external address so therefore it
would send it to the external interface and therefore external address.

That seems logical to me. My question to you is, unless the destination
address is the internal network, why SHOULD it send it via the internal
interface? My only educated guess on this one is that you used part of
your INTERNAL address space for the addresses you assigned to the CAG
for it to hand out to clients, when as far as I can see, the clients
should have been treated or thought of as DMZ interfaces / connections.

This is just what I am thinking about having done firewall admin
before. 

If I am wrong on this one, and completley off base, please let me know,
my experiece with CAG is limited.

Berny

2008/4/30 Chad Schneider (IT) <Chad.M.Schneider@xxxxxxxxxxxxx>:

Does a VPN session to the CAG, route external bound internet traffic
through the CAG external interface, rather than through the CAG Internal
interface?

 

I am watching the traffic, from our CAG internal IP range, when making
a request to google.com, the traffic goes out the CAG INT0(External).

 

 

ChadSchneider
Systems Engineer
ThedaCare IT
920-735-7615

Other related posts: