dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
637
Manta
Premium Member
join:2003-11-04
UK

Manta

Premium Member

[HELP] PIX outside access to non-interface IP for VPN and SSH

I've put a PIX 515E (8.0.4-28) in front of a pre-existing UC540W as the latter topped out at about 30Mbps and they're lucky enough to have FTTC giving 75/15 Mbps and were upset that the small amount of web browsing and a single remote RDP session they do might be unduly slowed down. Yes, I know it shouldn't be something EOL but budget was the word of the day. :sigh: The problem I've got is that the ISP (BT Infinity) provide a /29 block of IPs but routed down a PPPoE connection with a dynamic IP address. So the external IP of the PIX is dynamic and hence massively irritating to try to pin down as an endpoint for the dial-in VPN as well as remote support by SSH. I'd solved with the UC540W by just assigning an external IP to a loopback interface and everything worked nicely but the PIX doesn't have loopbacks. I did try a static mapping of the fixed IP address to the internal IP address of the PIX but it just complains about spoofing. I've tried searching for an answer but it seems quite an ambiguous thing to search for. Can anyone point me in the right direction here? I've got three spare physical interfaces if that helps.

Currently I've had to map the ISAKMP and IPSEC through the PIX to the UC540 as a workaround but it's not ideal as apart from limiting the bandwidth again, it relies on the UC540 being alive to access the PIX for remote support.

Many thanks,

Gareth

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

not elegant -- but a host or vm running a ddns daemon would accomplish this nicely. no-ip offers 3 free hosts. establish an a-record and make all vpn clients point towards the ddns name.

q.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to Manta

Premium Member

to Manta
That's the only option. The PIX (and ASA for that matter) cannot terminate a tunnel to a "virtual" address. You could get a router to terminate pppoe on one interface and have the /29 on another interface. With no services in use (pure routing), an 1811, or better an 1841, would easily handle your traffic.

(Actually, 2851's have gotten fairly cheap. They have gig-e interfaces, and generate very little noise. And they can *route* several 100Mbps; NAT alone will drop it below 50Mbps.)
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Manta

MVM

to Manta
said by Manta:

the ISP (BT Infinity) provide a /29 block of IPs but routed down a PPPoE connection with a dynamic IP address. So the external IP of the PIX is dynamic and hence massively irritating to try to pin down as an endpoint for the dial-in VPN as well as remote support by SSH.

Config of the PIX, minus passwords / sensitive information, please...

Dumb question, but how often is the "dynamic" address changing on the PIX's outside interface? Is it even changing?

And as far as I know, even with a dynamic IP address, doesn't stop SSH connections to said IP address... and to
my (albeit) limited knowledge, 2 VPN clients that can be configured to connect to an IP address with minimal fuss are Cisco's 5.x client and Shrewsoft's client.

Inline with tubbynet See Profile 's suggestion, PIX / ASA can be configured as a DDNS client itself -- see here for how.

My 00000010bits

Regards
Manta
Premium Member
join:2003-11-04
UK

Manta

Premium Member

Thanks guys. It actually helps to know that what I'm looking for isn't possible and hence I'm not going to find it by keep searching.

tubbynet: I'd prefer not to involve DNS because the ISP in question is the kind that employ mystic diviners to discern the most inopportune time to change the IP address and the guy involved...well let's just say that he's previously phoned me to demand that I make his Blackberry work since it was inconvenient not being able to keep up with his email whilst in intensive care after having a heart attack!

cramer: Thanks, I'll have a look at those.

Hellfire: Part of the problem is that I have no way of telling if or how often it changes. I've made a note of the current IP and it's not changed since I posted. It could less frequent or only on a reboot. Trying to get a maintenance window is difficult too as someone seems to be on site working till all hours despite their theoretical closing time of 17:00. When they're not on site working, someone will be working remotely - and it's usually the MD (see Blackberry comment above).
VPN client currently in use is Cisco's. The ISP aren't going to guarantee the interface IP to be fixed and I'm not keen to encourage [further] phone calls at 22:00 on a Saturday night if I can help it.
It looks like the PIX client is only RFC 2136 compliant and doesn't support the http method that most providers seem to use. Unless I'm being daft, I can't see any evidence that No-IP support it. I've tried the http method using IOS and never found it reliable too.

Is there any mileage in using two of the spare PIX interfaces to loopback? One to connect to the ISP's NTE (white box converting VDSL to Ethernet) acting as a PPPoE client and the other to output to another interface carrying the block of external IPs. Or would it just route internally...and would it matter?
eg.
Eth0: Outside PPPoE
Eth1: Perimeter-Outside 91.2.3.1/29
Eth2: Perimeter-Inside 91.2.3.2/29
Eth3: Inside 10.0.0.0/24

Many thanks and have a good Christmas.

Gareth
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer

Premium Member

No. Networks cannot overlap. What you want to do cannot be done on a PIX. (people have tried for a decade, and I've yet to see it done.)

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet to Manta

MVM

to Manta
said by Manta:

tubbynet: I'd prefer not to involve DNS because the ISP in question is the kind that employ mystic diviners to discern the most inopportune time to change the IP address and the guy involved...well let's just say that he's previously phoned me to demand that I make his Blackberry work since it was inconvenient not being able to keep up with his email whilst in intensive care after having a heart attack!

understood. however -- i will say that i've used a ddns client sitting on my windows 2k8 server (which also runs my internal dhcp, dns, cacti, etc) and i've never experienced a hiccup with it.
depending on the amount of compute behind the pix -- its entirely possible to spin up a headless ubuntu server vm w/ 384mb of ram and freenx just to run the ddns update client (and provide a jumpbox as well).

just a thought.

q.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Manta

MVM

to Manta
said by Manta:

I'd prefer not to involve DNS because the ISP in question is the kind that employ mystic diviners to discern the most inopportune time to change the IP address

said by Manta:

Part of the problem is that I have no way of telling if or how often it changes.

Then I'm kinda out of ideas on how to help you -- If not by DNS, then by IP is the only other way to do this,
and vice versa. IIRC don't recall any PIX / ASA logging to determine if the IP address changes or not. You COULD store
device syslogs offdevice, and see if you notice a pattern, either how constant the public IP address changes.
A simple

 deny any any log
 

Should do this.
said by Manta:

Is there any mileage in using two of the spare PIX interfaces to loopback?

As cramer See Profile said, PIX / ASA doesn't support loopback addresses. Need an ISR to do that. But even if
you get an ISR, you'd be back to the "connect via DNS or IP address" dilemma again.

Regards