[c-nsp] OT: PIX 5 zone w/ VPN Client

Tim Devries tdevries at northrock.bm
Mon Jul 10 07:52:09 EDT 2006 

I couldn't get the nat/pat to work with the VPN pool, the ASA just did
not like the config.  Eventually I just set it up without nat (i.e.
no-nat) though on a separate network from any of the interfaces, and
everything works fine.  

With regards to your inability to surf the net when connected, I would
check to make sure you have split tunneling enabled.

i.e.

access-list NGIvpn_splitTunnelAcl standard permit any
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NGIvpn_splitTunnelAcl

Thanks,

Tim

-----Original Message-----
From: Daniel Lacey [mailto:daniel_p_lacey at yahoo.com] 
Sent: Friday, July 07, 2006 1:36 PM
To: Tim Devries
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] OT: PIX 5 zone w/ VPN Client

Tim,

I have not been able to get this to work on my 3 interface PIX either...
I would love some sample configs... I have been all over the Cisco docs 
to get this far...
The Cisco sample configs are good, but firewall configs are not as 
cookie cutter as a router.
When you want to add some functionality, the config. can change
radically...
Maybe that is just my experience.
 
I have VPN connections NATed to the "inside", I can access other 
interfaces, but cannot surf the Internet like the non-VPN inside hosts.
This was done with:

access-list mgmt_in extended permit ip any any
access-list no-nat-inside extended permit ip any 10.166.65.240 
255.255.255.240
ip local pool vpnpool 10.166.65.241-10.166.65.254 mask 255.255.255.240
nat (inside) 0 access-list no-nat-inside
access-group mgmt_in in interface inside
tunnel-group vpngroup general-attributes
 address-pool vpnpool
 
Or, I can set it up so that I VPN to the firewall, surf the Internet, 
but cannot access any other interface....
Got this from the Cisco "PIX ASA 7.x and VPN Client for Public Internet 
VPN on a Stick Configuration Example.pdf" config example.
same-security-traffic permit intra-interface   <--- Need this to VPN 
into outside interface AND go back out...

Tim Devries wrote:

>Hi,
>
> 
>
>I have configured a 5 zone ASA/Pix firewall.  Everything in the
>configuration is working fine.  Recently I have tried to configure a
>remote Client VPN (software) terminating on the firewall.  Rather than
>terminate the connection so that my remote users are on the 'inside'
>interface (as per most of the documentation on the subject), I have
>created a separate pool of IP's in a different network, and have added
a
>nat statement (on the outside) for that network as well as a global
>interface pat to the other 4 interfaces.
>
> 
>
>I can connect fine, and authenticate the user no problem.  However,
when
>I try and access any resources in the other zones I am unable to do so.
>I've been searching Cisco's site for a document that might explain how
>to do this configuration with 5 interfaces but so far have not had much
>luck.  I also don't see much in the log, one statement I do see is that
>it is unable to create a translation for the vpn network when I attempt
>to access resources in another zone, which strikes me as strange as I
>have used the nat and global statements, and AFAIK I don't need statics
>to make this work.
>
> 
>
>Anyone have any ideas or sample configs for this sort of thing?
>
> 
>
>Thanks,
>
> 
>
>Tim Devries
>
> 
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>  
>

More information about the cisco-nsp mailing list