Prev: DHCP on DMZ interface
Next: 2600 Memory Questions
From: Aaron on 24 Apr 2008 11:23
Ok. What I want to do seems quite simple, but whatever I just can't
quite get the pieces to mesh. I have a pix 501 that I'm trying to
configure to provide VPN access to our local network for clients
running the Cisco VPN client 4.x.

Our network is seperated into VLANS, but uses public IP's for most
machines. I'll use fake numbers for my examples though. The Outside
interface has a public IP of 172.46.32.100. This is connected to our
DMZ VLAN. The "Inside" interface has a public IP of 172.46.24.100,
which is connected to a separate VLAN.

What I want to do is have the VPN clients connect to the outside
interface, get a private IP (from 192.168.2.0/24) and then be NAT'd
(PAT) to the inside interface IP of 172.46.24.100. That way, the
routing meshes with everything because all the VPN client traffic
would appear to come from the interface IP of the pix. In all the
various permutations of configurations I've done, it ends up with the
client computer connecting, getting a 192.168 address, and then it
merely passes through the IP un-NAT'd (i.e., the servers on the local
network see connections coming in from 192.168.2.x). I can make this
work by adding static routes to direct traffic destined for
192.168.2.x to the PIX, but I'd rather have it just NAT everything to
make things cleaner.
From: Aaron on 24 Apr 2008 11:26
On Apr 24, 11:23 am, Aaron <Aaron.Sm...(a)kzoo.edu> wrote:
> Ok. What I want to do seems quite simple, but whatever I just can't
> quite get the pieces to mesh. I have a pix 501 that I'm trying to
> configure to provide VPN access to our local network for clients
> running the Cisco VPN client 4.x.
>
> Our network is seperated into VLANS, but uses public IP's for most
> machines. I'll use fake numbers for my examples though. The Outside
> interface has a public IP of 172.46.32.100. This is connected to our
> DMZ VLAN. The "Inside" interface has a public IP of 172.46.24.100,
> which is connected to a separate VLAN.
>
> What I want to do is have the VPN clients connect to the outside
> interface, get a private IP (from 192.168.2.0/24) and then be NAT'd
> (PAT) to the inside interface IP of 172.46.24.100. That way, the
> routing meshes with everything because all the VPN client traffic
> would appear to come from the interface IP of the pix. In all the
> various permutations of configurations I've done, it ends up with the
> client computer connecting, getting a 192.168 address, and then it
> merely passes through the IP un-NAT'd (i.e., the servers on the local
> network see connections coming in from 192.168.2.x). I can make this
> work by adding static routes to direct traffic destined for
> 192.168.2.x to the PIX, but I'd rather have it just NAT everything to
> make things cleaner.

Oh, and my intention is to do this with Split Tunneling so the clients
don't lose access to their local networks.
From: Aaron on 24 Apr 2008 16:27
On Apr 24, 11:23 am, Aaron <Aaron.Sm...(a)kzoo.edu> wrote:
> Ok. What I want to do seems quite simple, but whatever I just can't
> quite get the pieces to mesh. I have a pix 501 that I'm trying to
> configure to provide VPN access to our local network for clients
> running the Cisco VPN client 4.x.
>
> Our network is seperated into VLANS, but uses public IP's for most
> machines. I'll use fake numbers for my examples though. The Outside
> interface has a public IP of 172.46.32.100. This is connected to our
> DMZ VLAN. The "Inside" interface has a public IP of 172.46.24.100,
> which is connected to a separate VLAN.
>
> What I want to do is have the VPN clients connect to the outside
> interface, get a private IP (from 192.168.2.0/24) and then be NAT'd
> (PAT) to the inside interface IP of 172.46.24.100. That way, the
> routing meshes with everything because all the VPN client traffic
> would appear to come from the interface IP of the pix. In all the
> various permutations of configurations I've done, it ends up with the
> client computer connecting, getting a 192.168 address, and then it
> merely passes through the IP un-NAT'd (i.e., the servers on the local
> network see connections coming in from 192.168.2.x). I can make this
> work by adding static routes to direct traffic destined for
> 192.168.2.x to the PIX, but I'd rather have it just NAT everything to
> make things cleaner.

I have this working now, though I'm not sure why or how. :) I added
a NAT exemption rule for our entire public IP space to the 192.168.2.x
space and suddenly it started working. o_0 I added this through PDM
so I'll look closer at the actual "sh run" output to see if I can
fathom why that change made things work.

But now I have another question. I'd like to apply access
restrictions to the VPN clients so I added a deny rule on the outside
interface to block everything. But it seems that that isn't being
applied to traffic from VPN clients. If I want to block traffic from
the 192.168.2.x clients to everything on the 172.46.24.x network (and
then open up the specific items I want them to have access to) how
would I go about doing that?
From: Darren on 24 Apr 2008 17:24
Aaron wrote:
> On Apr 24, 11:23 am, Aaron <Aaron.Sm...(a)kzoo.edu> wrote:
>> Ok. What I want to do seems quite simple, but whatever I just can't
>> quite get the pieces to mesh. I have a pix 501 that I'm trying to
>> configure to provide VPN access to our local network for clients
>> running the Cisco VPN client 4.x.
>>
>> Our network is seperated into VLANS, but uses public IP's for most
>> machines. I'll use fake numbers for my examples though. The Outside
>> interface has a public IP of 172.46.32.100. This is connected to our
>> DMZ VLAN. The "Inside" interface has a public IP of 172.46.24.100,
>> which is connected to a separate VLAN.
>>
>> What I want to do is have the VPN clients connect to the outside
>> interface, get a private IP (from 192.168.2.0/24) and then be NAT'd
>> (PAT) to the inside interface IP of 172.46.24.100. That way, the
>> routing meshes with everything because all the VPN client traffic
>> would appear to come from the interface IP of the pix. In all the
>> various permutations of configurations I've done, it ends up with the
>> client computer connecting, getting a 192.168 address, and then it
>> merely passes through the IP un-NAT'd (i.e., the servers on the local
>> network see connections coming in from 192.168.2.x). I can make this
>> work by adding static routes to direct traffic destined for
>> 192.168.2.x to the PIX, but I'd rather have it just NAT everything to
>> make things cleaner.
>
> I have this working now, though I'm not sure why or how. :) I added
> a NAT exemption rule for our entire public IP space to the 192.168.2.x
> space and suddenly it started working. o_0 I added this through PDM
> so I'll look closer at the actual "sh run" output to see if I can
> fathom why that change made things work.
>
> But now I have another question. I'd like to apply access
> restrictions to the VPN clients so I added a deny rule on the outside
> interface to block everything. But it seems that that isn't being
> applied to traffic from VPN clients. If I want to block traffic from
> the 192.168.2.x clients to everything on the 172.46.24.x network (and
> then open up the specific items I want them to have access to) how
> would I go about doing that?

By default the firewall will likely have sysopt configured and as a
result your VPN's will bypass the ACL feature check.

Secondly, you say that your NAT exemption rule is allowing all networks
back to your VPN pool. If so you may want to think about restricting
this using an ACL and NAT combo. Identify only the networks you want to
allow in No-NAT back to your clients, anything not identified will be
denied through the implicit 'deny any' at the end of the ACL.

Thirdly, I believe that you can apply access-list filters to the VPN
client tunnel as well. Look at the ASDM remote access VPN options you
should spot how to do it it's fairly intuitive.

Regards

Darren
 | 
Pages: 1
Prev: DHCP on DMZ interface
Next: 2600 Memory Questions