1. Home
  2. Cisco Systems
  3. PIX 501: NAT VPN Clients to Inside?

PIX 501: NAT VPN Clients to Inside?

Ok. What I want to do seems quite simple, but whatever I just can't quite get the pieces to mesh. I have a pix 501 that I'm trying to configure to provide VPN access to our local network for clients running the Cisco VPN client 4.x.

Our network is seperated into VLANS, but uses public IP's for most machines. I'll use fake numbers for my examples though. The Outside interface has a public IP of 172.46.32.100. This is connected to our DMZ VLAN. The "Inside" interface has a public IP of 172.46.24.100, which is connected to a separate VLAN.

What I want to do is have the VPN clients connect to the outside interface, get a private IP (from 192.168.2.0/24) and then be NAT'd (PAT) to the inside interface IP of 172.46.24.100. That way, the routing meshes with everything because all the VPN client traffic would appear to come from the interface IP of the pix. In all the various permutations of configurations I've done, it ends up with the client computer connecting, getting a 192.168 address, and then it merely passes through the IP un-NAT'd (i.e., the servers on the local network see connections coming in from 192.168.2.x). I can make this work by adding static routes to direct traffic destined for

192.168.2.x to the PIX, but I'd rather have it just NAT everything to make things cleaner.
Reply to
Aaron
Loading thread data ...

Oh, and my intention is to do this with Split Tunneling so the clients don't lose access to their local networks.

Reply to
Aaron

I have this working now, though I'm not sure why or how. :) I added a NAT exemption rule for our entire public IP space to the 192.168.2.x space and suddenly it started working. o_0 I added this through PDM so I'll look closer at the actual "sh run" output to see if I can fathom why that change made things work.

But now I have another question. I'd like to apply access restrictions to the VPN clients so I added a deny rule on the outside interface to block everything. But it seems that that isn't being applied to traffic from VPN clients. If I want to block traffic from the 192.168.2.x clients to everything on the 172.46.24.x network (and then open up the specific items I want them to have access to) how would I go about doing that?

Reply to
Aaron

By default the firewall will likely have sysopt configured and as a result your VPN's will bypass the ACL feature check.

Secondly, you say that your NAT exemption rule is allowing all networks back to your VPN pool. If so you may want to think about restricting this using an ACL and NAT combo. Identify only the networks you want to allow in No-NAT back to your clients, anything not identified will be denied through the implicit 'deny any' at the end of the ACL.

Thirdly, I believe that you can apply access-list filters to the VPN client tunnel as well. Look at the ASDM remote access VPN options you should spot how to do it it's fairly intuitive.

Regards

Darren

Reply to
Darren

Heh. "Intuitive" and "PIX" are two words I never use in the same sentence. I did, however, find the HUGE GLARING check option entitled "Bypass access check for all IPSec Traffic". Not sure how I missed it as the only way it could have been more obvious is if it had been on fire or something.

I'm still a little fuzzy on the NAT exemption rule. I understand what your saying about restricting networks coming BACK to the vpn pool addresses (192.168.2.x), but what I'm not following is that it appears that I need to have that NAT "exemption" rule in place for the VPN clients to be NAT'd to those network hosts. This is counter-intuitive to me (see first sentence....:) ) as I would think that if a host was on the list to be exempted from NAT it would be...well, exempted. Unless Cisco uses some other wacky definition of "exempt".

Reply to
Aaron

The bypass ACL chek would normally be checked by default. If you don't have it you would need to allow additional ACL entries to permit the un-encrypted traffic in.

As for the NAT exemption, you simply need to create a no-nat access-list for the internal networks that you want to allow back to your VPN pool range. If you don't the traffic is natted and you won't receive it when you VPN in.

Regards

Darren

Reply to
Darren

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.