[c-nsp] OT: PIX 5 zone w/ VPN Client

Tim Devries tdevries at northrock.bm
Mon Jul 10 20:37:30 EDT 2006


I can get it to NAT to the outside over the VPN client fine, but the ASA doesn't like it when I try to use interface PAT to other zones over the VPN - it gives me a translation failed message even though I have the nat and global statements.

Regards,
Tim


-----Original Message-----
From: Timothy Arnold [mailto:tim at timothyarnold.co.uk] 
Sent: Monday, July 10, 2006 7:14 PM
To: Tim Devries
Cc: Daniel Lacey; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] OT: PIX 5 zone w/ VPN Client

Hi,

I have a Cisco PIX with a number of virtual networks (single physical 
inside interface) and can access all of these, and the internet at the 
same time. I have only set this up without nat.

(presuming internal networks are 10.0.0.x and 10.0.1.x)

ip local pool vpn 10.0.20.1-10.0.20.25 netmask 255.255.255.0

nat (vlan1) 0 access-list no-nat
nat (vlan2) 0 access-list no-nat

access-list no-nat permit ip 10.0.0.0 255.255.255.0 10.0.20.0 
255.255.255.0
access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.20.0 
255.255.255.0


I don't use split tunnel so in order to get out to the net, I use

nat (outside) 1 10.0.20.0 255.255.255.0

This means that I appear from whatever the global entry is (in this case 
1)

HTH

Tim


On Mon, 10 Jul 2006, Tim Devries wrote:

> I couldn't get the nat/pat to work with the VPN pool, the ASA just did
> not like the config.  Eventually I just set it up without nat (i.e.
> no-nat) though on a separate network from any of the interfaces, and
> everything works fine.
>
> With regards to your inability to surf the net when connected, I would
> check to make sure you have split tunneling enabled.
>
> i.e.
>
> access-list NGIvpn_splitTunnelAcl standard permit any
> split-tunnel-policy tunnelspecified
> split-tunnel-network-list value NGIvpn_splitTunnelAcl
>
> Thanks,
>
> Tim
>
> -----Original Message-----
> From: Daniel Lacey [mailto:daniel_p_lacey at yahoo.com]
> Sent: Friday, July 07, 2006 1:36 PM
Â> To: Tim Devries
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] OT: PIX 5 zone w/ VPN Client
>
> Tim,
>
> I have not been able to get this to work on my 3 interface PIX either...
> I would love some sample configs... I have been all over the Cisco docs
> to get this far...
> The Cisco sample configs are good, but firewall configs are not as
> cookie cutter as a router.
> When you want to add some functionality, the config. can change
> radically...
> Maybe that is just my experience.
>
> I have VPN connections NATed to the "inside", I can access other
> interfaces, but cannot surf the Internet like the non-VPN inside hosts.
> This was done with:
>
> access-list mgmt_in extended permit ip any any
> access-list no-nat-inside extended permit ip any 10.166.65.240
> 255.255.255.240
> ip local pool vpnpool 10.166.65.241-10.166.65.254 mask 255.255.255.240
> nat (inside) 0 access-list no-nat-inside
> access-group mgmt_in in interface inside
> tunnel-group vpngroup general-attributes
> address-pool vpnpool
>
> Or, I can set it up so that I VPN to the firewall, surf the Internet,
> but cannot access any other interface....
> Got this from the Cisco "PIX ASA 7.x and VPN Client for Public Internet
> VPN on a Stick Configuration Example.pdf" config example.
> same-security-traffic permit intra-interface   <--- Need this to VPN
> into outside interface AND go back out...
>
> Tim Devries wrote:
>
>> Hi,
>>
>>
>>
>> I have configured a 5 zone ASA/Pix firewall.  Everything in the
>> configuration is working fine.  Recently I have tried to configure a
>> remote Client VPN (software) terminating on the firewall.  Rather than
>> terminate the connection so that my remote users are on the 'inside'
>> interface (as per most of the documentation on the subject), I have
>> created a separate pool of IP's in a different network, and have added
> a
>> nat statement (on the outside) for that network as well as a global
>> interface pat to the other 4 interfaces.
>>
>>
>>
>> I can connect fine, and authenticate the user no problem.  However,
> when
>> I try and access any resources in the other zones I am unable to do so.
>> I've been searching Cisco's site for a document that might explain how
>> to do this configuration with 5 interfaces but so far have not had much
>> luck.  I also don't see much in the log, one statement I do see is that
>> it is unable to create a translation for the vpn network when I attempt
>> to access resources in another zone, which strikes me as strange as I
>> have used the nat and global statements, and AFAIK I don't need statics
>> to make this work.
>>
>>
>>
>> Anyone have any ideas or sample configs for this sort of thing?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Tim Devries
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list