Re: [fw-wiz] PIX 515 and Cisco VPN client from inside

From: Brian Recore (brecore_at_mindsync.net)
Date: 08/29/03


To: Marko Kupiainen <marko.kupiainen@microcraft.se>
Date: Fri, 29 Aug 2003 10:12:48 -0700

Marko Kupiainen wrote:

>Hi everyone
>
>Im new to the list and apologize if this question being asked before.
>I read through 2003 archives and couldnt find anything similar.
>
>Our company uses a PIX 515 with 3 legs, OUTSIDE, DMZ and INSIDE
>We have users doing VPN tunnels from their homes with Cisco VPN client 4 and
>terminating the tunnels at the PIX. This works great.
>But we cant create tunnels from INSIDE and terminating at other customers
>endpoints. The tunnels are easily created if we work outside our PIX.
>The PIX 515 do PAT for all INSIDE connections using outside interface IP.
>Is there any hooks when doing VPN over PAT with Cisco clients ?
>
>
>regards
>Marko Kupiainen
>CIO Microcraft AB
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
>
In my experiences you don't want to NAT/PAT the VPN traffic. You do
this by using the command "nat 0" There is other commands with it that
I can't recall but the point is to NAT/PAT all traffic except the VPN
traffic.
I had to do this a couple of times in the past. It seems IPSec had
problems with the nat traffic.

Here is something from cisco
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml

access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
global (outside) 1 199.199.199.3-199.199.199.62 netmask 255.255.255.192
nat (inside) 0 access-list 101
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
  

This configuration will not translate those addresses with a source
address of 10.0.0.0/8 and a destination address of 192.168.1.0/24. It
will translate the source address from any traffic initiated from within
the 10.0.0.0/8 network and destined for anywhere other than
192.168.1.0/24 into an address from the range 199.199.199.3 -
199.199.199.62.

Hope this leads you in the right direction

Brian

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards