Re: [fw-wiz] PIX 515 and Cisco VPN client from inside

From: Brian Recore (brecore_at_mindsync.net)
Date: 08/29/03


To: Marko Kupiainen <marko.kupiainen@microcraft.se>
Date: Fri, 29 Aug 2003 10:12:48 -0700

Marko Kupiainen wrote:

>Hi everyone
>
>Im new to the list and apologize if this question being asked before.
>I read through 2003 archives and couldnt find anything similar.
>
>Our company uses a PIX 515 with 3 legs, OUTSIDE, DMZ and INSIDE
>We have users doing VPN tunnels from their homes with Cisco VPN client 4 and
>terminating the tunnels at the PIX. This works great.
>But we cant create tunnels from INSIDE and terminating at other customers
>endpoints. The tunnels are easily created if we work outside our PIX.
>The PIX 515 do PAT for all INSIDE connections using outside interface IP.
>Is there any hooks when doing VPN over PAT with Cisco clients ?
>
>
>regards
>Marko Kupiainen
>CIO Microcraft AB
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
>
In my experiences you don't want to NAT/PAT the VPN traffic. You do
this by using the command "nat 0" There is other commands with it that
I can't recall but the point is to NAT/PAT all traffic except the VPN
traffic.
I had to do this a couple of times in the past. It seems IPSec had
problems with the nat traffic.

Here is something from cisco
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml

access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
global (outside) 1 199.199.199.3-199.199.199.62 netmask 255.255.255.192
nat (inside) 0 access-list 101
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
  

This configuration will not translate those addresses with a source
address of 10.0.0.0/8 and a destination address of 192.168.1.0/24. It
will translate the source address from any traffic initiated from within
the 10.0.0.0/8 network and destined for anywhere other than
192.168.1.0/24 into an address from the range 199.199.199.3 -
199.199.199.62.

Hope this leads you in the right direction

Brian

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: [fw-wiz] NAT inside a VPN between PIX and Cisco device
    ... Now we're using a VPN without NAT and only one external IP on PIX. ... This feature works if your WAN interface is not a FastEthernet interface. ...
    (Firewall-Wizards)
  • RE: [fw-wiz] PIX 515 and Cisco VPN client from inside
    ... Regards, ... Our company uses a PIX 515 with 3 legs, OUTSIDE, DMZ and INSIDE We have ... users doing VPN tunnels from their homes with Cisco VPN client 4 and ... terminating the tunnels at the PIX. ...
    (Firewall-Wizards)
  • [fw-wiz] PIX 515 and Cisco VPN client from inside
    ... Our company uses a PIX 515 with 3 legs, OUTSIDE, DMZ and INSIDE ... We have users doing VPN tunnels from their homes with Cisco VPN client 4 and ... terminating the tunnels at the PIX. ... The PIX 515 do PAT for all INSIDE connections using outside interface IP. ...
    (Firewall-Wizards)
  • Re: Pre-purchase Question about PIX 515E
    ... We use a VPN concentrator for VPN dial-up, but the PIX 515E ... server), or are those "pass-through" sessions, clients passing through ... sesssions (but you might need to do Policy NAT.) ...
    (comp.dcom.sys.cisco)
  • [fw-wiz] Re: firewall-wizards digest, Vol 1 #1180 - 6 msgs
    ... > we must make a VPN from PIX using NAT inside the VPN. ... Maybe your VPN was configured in Tunnel mode. ...
    (Firewall-Wizards)