[c-nsp] OT: PIX 5 zone w/ VPN Client

Daniel Lacey daniel_p_lacey at yahoo.com
Fri Jul 7 12:35:34 EDT 2006


Tim,

I have not been able to get this to work on my 3 interface PIX either...
I would love some sample configs... I have been all over the Cisco docs 
to get this far...
The Cisco sample configs are good, but firewall configs are not as 
cookie cutter as a router.
When you want to add some functionality, the config. can change radically...
Maybe that is just my experience.
 
I have VPN connections NATed to the "inside", I can access other 
interfaces, but cannot surf the Internet like the non-VPN inside hosts.
This was done with:

access-list mgmt_in extended permit ip any any
access-list no-nat-inside extended permit ip any 10.166.65.240 
255.255.255.240
ip local pool vpnpool 10.166.65.241-10.166.65.254 mask 255.255.255.240
nat (inside) 0 access-list no-nat-inside
access-group mgmt_in in interface inside
tunnel-group vpngroup general-attributes
 address-pool vpnpool
 
Or, I can set it up so that I VPN to the firewall, surf the Internet, 
but cannot access any other interface....
Got this from the Cisco "PIX ASA 7.x and VPN Client for Public Internet 
VPN on a Stick Configuration Example.pdf" config example.
same-security-traffic permit intra-interface   <--- Need this to VPN 
into outside interface AND go back out...

Tim Devries wrote:

>Hi,
>
> 
>
>I have configured a 5 zone ASA/Pix firewall.  Everything in the
>configuration is working fine.  Recently I have tried to configure a
>remote Client VPN (software) terminating on the firewall.  Rather than
>terminate the connection so that my remote users are on the 'inside'
>interface (as per most of the documentation on the subject), I have
>created a separate pool of IP's in a different network, and have added a
>nat statement (on the outside) for that network as well as a global
>interface pat to the other 4 interfaces.
>
> 
>
>I can connect fine, and authenticate the user no problem.  However, when
>I try and access any resources in the other zones I am unable to do so.
>I've been searching Cisco's site for a document that might explain how
>to do this configuration with 5 interfaces but so far have not had much
>luck.  I also don't see much in the log, one statement I do see is that
>it is unable to create a translation for the vpn network when I attempt
>to access resources in another zone, which strikes me as strange as I
>have used the nat and global statements, and AFAIK I don't need statics
>to make this work.
>
> 
>
>Anyone have any ideas or sample configs for this sort of thing?
>
> 
>
>Thanks,
>
> 
>
>Tim Devries
>
> 
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>  
>


More information about the cisco-nsp mailing list