[c-nsp] Internet Access, VPN Client+PIX

Mike Sawicki fifi at HAX.ORG
Tue Sep 14 16:49:40 EDT 2004


I've recently setup a PIX 525 to act as a server for users with VPN
Client 4.x.  Authentication works, connections work, and I am able
to successfully hit anything connected directly into the PIX with no
issues.  Now, I want to be able to allow my vpn-ed users to connect
out into my network and access services not protected by this PIX
(including the Internet, if necessary).  The PIX is complaining
about 'no xlate' whenever someone tries to contact a foreign IP..
which is fine, yet I am having trouble determining just what kind of
xlate rule I need to create.  Here's a log snip:

106011: Deny inbound (No xlate) tcp src outside:192.168.66.3/1183
dst outside:x.x.x.x/80

192.168.66.3 is the pool address the client is assigned when they
connect, and x.x.x.x is a foreign up somewhere else on my network.
The PIX has a default route installed, so it does look like its
trying to send it through the 'outside' interface.. but the VPN is
also connected via 'outside'.  This must be why outside: is showing
up in both the src and dst of the xlate.    As far as I know there
is no way to setup an xlate on the name interface.. and, since the
VPN pool doesn't actually exist as an "interface", normal static
conventions won't work.  

I have tried setting up NONAT lists to allow the 192.168.66.x addrs to 
route natively through my network, but the PIX doesn't like that.  I'd even 
be willing to hide everything foreign behind a global (which I've tried 
doing, also to no avail).

Any suggestions on how I can pull this off?  Thanks.

-- 
Mike Sawicki (fifi at HAX.ORG)


More information about the cisco-nsp mailing list