[c-nsp] Internet Access, VPN Client+PIX

Church, Chuck cchurch at netcogov.com
Wed Sep 15 10:35:17 EDT 2004


I think the fundamental design of the Pix is to not allow packets out on
the same interface they've come from.  Have you looked at split
tunneling, where you define an access list and the Pix hands it to the
VPN clients?  The VPN clients then will only put packets on the VPN
tunnel that are destined for your protected networks.  There are minor
security implications, but overall it's a decent tradeoff.


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com  <-note new address!
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Sawicki
Sent: Tuesday, September 14, 2004 4:50 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Internet Access, VPN Client+PIX

I've recently setup a PIX 525 to act as a server for users with VPN
Client 4.x.  Authentication works, connections work, and I am able
to successfully hit anything connected directly into the PIX with no
issues.  Now, I want to be able to allow my vpn-ed users to connect
out into my network and access services not protected by this PIX
(including the Internet, if necessary).  The PIX is complaining
about 'no xlate' whenever someone tries to contact a foreign IP..
which is fine, yet I am having trouble determining just what kind of
xlate rule I need to create.  Here's a log snip:

106011: Deny inbound (No xlate) tcp src outside:192.168.66.3/1183
dst outside:x.x.x.x/80

192.168.66.3 is the pool address the client is assigned when they
connect, and x.x.x.x is a foreign up somewhere else on my network.
The PIX has a default route installed, so it does look like its
trying to send it through the 'outside' interface.. but the VPN is
also connected via 'outside'.  This must be why outside: is showing
up in both the src and dst of the xlate.    As far as I know there
is no way to setup an xlate on the name interface.. and, since the
VPN pool doesn't actually exist as an "interface", normal static
conventions won't work.  

I have tried setting up NONAT lists to allow the 192.168.66.x addrs to 
route natively through my network, but the PIX doesn't like that.  I'd
even 
be willing to hide everything foreign behind a global (which I've tried 
doing, also to no avail).

Any suggestions on how I can pull this off?  Thanks.

-- 
Mike Sawicki (fifi at HAX.ORG)
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list