Re: [fw-wiz] VPN NAT issue



The Cisco firewall by default permits all Crypto traffic 'terminating' on it
without needing any access-lists. This is done via the sysopt command:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

You can disabled it if you want, however this means all post-decrypted
traffic needs to be permitted.

Please note that VPN tunnels that are not terminated on the firewall but
they still traverse it....need to be allowed in the interface ACLs.

Regards

Farrukh Haroon
CCIE # 20184 (Security)




On Thu, Nov 27, 2008 at 10:41 AM, Lord Sporkton <lordsporkton@xxxxxxxxx>wrote:

I have to this date, never needed an ACL to allow in VPN traffic on
the outside interface. In the case of ipsec(ive not dealt with pptp to
much) i dont even need an acl rule to allow the esp and udp 500
traffic in.

I can post working configs if anyone would care to discuss with me why
an acl is needed for vpn traffic.

Please note that I said outside interface, I do believe if you are
using an inside interface acl that is a different story.

If you allow the vpn pool ips in from the outside how would the
firewall differentiate between vpn pool ips and someone spoofing
private ips on the wan?


thank you
Lawrence


2008/11/26 Kevin Horvath <kevin.horvath@xxxxxxxxx>:
> you will need a static nat or nat exemption. You are trying to access
from
a low security interface to a higher one so put a translation in for the
173.16 net to the vpn pool either by static or nat0. For the static it
would be IN2 int to OUT and for nat0 apply it to IN2 where the rules
stipulate the src from IN2 net to the vpn local pool. Also apply the acl
entries allowing this traffic to the outside acl. Let me know if you
have
any issues.

Kevin

On Wed, Nov 12, 2008 at 4:52 AM, Vladislav Antolik
<vladislav.antolik@xxxxxxxxx> wrote:

Hello,

I'm using Cisco PIX 515E with 8.0(3) image.
I have 3 networks.
IN 172.16.0.0/16
IN2 173.16.0.0/16
OUT 174.16.0.0/16.
VPN local pool is 10.0.0.0/28.
I'm using remote access VPN to reach IN servers without problems(I
used howto from Cisco pix conf. guide)

I would like to reach IN2 servers too, but I don't know to setup NAT
from vpn pool to this network(IN2).
I this network (IN2) my VPN hosts(10.0.0.0/28) must be translated.

I tried
nat (OUT) 66 10.0.0.0 255.255.255.240
global (IN2) 66 173.16.0.5
but this doesn't work.

Is any possibility to translate VPN pool?

Many thanks
Vladislav
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards





--
-Lawrence
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: [fw-wiz] VPN NAT issue
    ... a low security interface to a higher one so put a translation in for the ... net to the vpn pool either by static or nat0. ... would be IN2 int to OUT and for nat0 apply it to IN2 where the rules ... stipulate the src from IN2 net to the vpn local pool. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] VPN NAT issue
    ... never needed an ACL to allow in VPN traffic on ... Please note that I said outside interface, I do believe if you are ... If you allow the vpn pool ips in from the outside how would the ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT
    ... One caveat that you will find is that if you use the PDM it doesn't support ... "nonat01" ACL and than a "VPN01" acl that is the same. ... > interesting traffic to go down the VPN). ... > Without seeing your config file I would recommend looking at the following ...
    (Firewall-Wizards)
  • Re: [fw-wiz] VPN NAT issue
    ... You need to use a static rule then ... Access-list IN and Access-list IN2 ... are bound to the interface by Access-Group IN and Access-Group IN2. ... VPN local pool is 10.0.0.0/28. ...
    (Firewall-Wizards)
  • Re: Why does my 506 keeps deny vpn-connections.
    ... According to the log is because the ACL ... That line would allow the VPN clients to send icmp. ... you need to use 'interface' followed by the interface name. ... And notice you overlapped the dhcp pool with the vpn address pool. ...
    (comp.dcom.sys.cisco)