[c-nsp] Internet Access, VPN Client+PIX

Peter Walker peter at grole.org
Tue Sep 14 17:12:28 EDT 2004 

Funnily enough I think I happened on a config example of how to do this on 
cisco.com

I don't recall the exact url but you should be able to find it my going to

	Tech support ->
		Product support ->
			.... pix 500 series ->
					<your version>
						-> samples and tips

or something very similar on www.cisco.com.

>From my recollection you basically can't do this with a single outside 
ethernet as the pix wont allow this.  You can do this with two external 
ethernets (on the same perimeter lan) though.

I will have a look and see if I can find the URL later this evening if I 
get a chance.

Regards

	Peter Walker

--On 14 September 2004 16:49 -0400 Mike Sawicki <fifi at hax.org> wrote:

> I've recently setup a PIX 525 to act as a server for users with VPN
> Client 4.x.  Authentication works, connections work, and I am able
> to successfully hit anything connected directly into the PIX with no
> issues.  Now, I want to be able to allow my vpn-ed users to connect
> out into my network and access services not protected by this PIX
> (including the Internet, if necessary).  The PIX is complaining
> about 'no xlate' whenever someone tries to contact a foreign IP..
> which is fine, yet I am having trouble determining just what kind of
> xlate rule I need to create.  Here's a log snip:
>
> 106011: Deny inbound (No xlate) tcp src outside:192.168.66.3/1183
> dst outside:x.x.x.x/80
>
> 192.168.66.3 is the pool address the client is assigned when they
> connect, and x.x.x.x is a foreign up somewhere else on my network.
> The PIX has a default route installed, so it does look like its
> trying to send it through the 'outside' interface.. but the VPN is
> also connected via 'outside'.  This must be why outside: is showing
> up in both the src and dst of the xlate.    As far as I know there
> is no way to setup an xlate on the name interface.. and, since the
> VPN pool doesn't actually exist as an "interface", normal static
> conventions won't work.
>
> I have tried setting up NONAT lists to allow the 192.168.66.x addrs to
> route natively through my network, but the PIX doesn't like that.  I'd
> even  be willing to hide everything foreign behind a global (which I've
> tried  doing, also to no avail).
>
> Any suggestions on how I can pull this off?  Thanks.
>
> --
> Mike Sawicki (fifi at HAX.ORG)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list