[c-nsp] OT: PIX 5 zone w/ VPN Client

Tim Devries tdevries at northrock.bm
Wed Jul 5 12:57:56 EDT 2006


Hi,

 

I have configured a 5 zone ASA/Pix firewall.  Everything in the
configuration is working fine.  Recently I have tried to configure a
remote Client VPN (software) terminating on the firewall.  Rather than
terminate the connection so that my remote users are on the 'inside'
interface (as per most of the documentation on the subject), I have
created a separate pool of IP's in a different network, and have added a
nat statement (on the outside) for that network as well as a global
interface pat to the other 4 interfaces.

 

I can connect fine, and authenticate the user no problem.  However, when
I try and access any resources in the other zones I am unable to do so.
I've been searching Cisco's site for a document that might explain how
to do this configuration with 5 interfaces but so far have not had much
luck.  I also don't see much in the log, one statement I do see is that
it is unable to create a translation for the vpn network when I attempt
to access resources in another zone, which strikes me as strange as I
have used the nat and global statements, and AFAIK I don't need statics
to make this work.

 

Anyone have any ideas or sample configs for this sort of thing?

 

Thanks,

 

Tim Devries

 



More information about the cisco-nsp mailing list