Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco Client<---->Pix1<------>Pix2---- how?

Status
Not open for further replies.
sfrank8734

sfrank8734

IS-IT--Management
Jan 10, 2003
27
US
In my environment, we're connected to an ASP via an ipsec tunnel. I have remote clients that aren't allowed to go the ASP directly:

Client<----->Pix1<-------------->Pix2<----ASP.

How can I pull this off? I know there are issues with going out the same interface on Pix1 (my clients come into the Pix1 on the same interface Pix2 does). EasyVPN for the ASP is not an option (unsupported).

I have additional interfaces on Pix1--could I somehow use that for my regular clients so I can pass through? 515UR with 4 interfaces is my config.

thanks in advance!

Steve
 
Sort by date Sort by votes
HI.

I don't fully understand.

The remote clients should or should not have access to the ASP.

If they need the access, you can either:
* Let them VPN directly to pix2.
* Use a proxy server, terminal server or similar solution behind pix1, and let remote clients use it as a relay for accessing the ASP site.
* Terminate remote client VPN on a different VPN server, not at the pix. For example by purchasing an additional Cisco 3005 VPN server. This can be expensive but gives you better management and control of VPN, off-loads the pix.
* Using additional interface at pix1 might be possible but this is a complex solution, and I would try other options before.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
>The remote clients should or should not have access to the >ASP.

They should. Sorry that wasn't clear

>If they need the access, you can either:
>* Let them VPN directly to pix2.

Not an option, the ASP will not support this config.

>* Use a proxy server, terminal server or similar solution >behind pix1, and let remote clients use it as a relay for >accessing the ASP site.

Using application level proxy servers (HTTP and SOCKS) has been my solution thus far, but we're venturing into applications that are not SOCKS capable (easily). Terminal services are problematic--zero budget available for this.

>* Terminate remote client VPN on a different VPN server, >not at the pix. For example by purchasing an additional >Cisco 3005 VPN server. This can be expensive but gives you >better management and control of VPN, off-loads the pix.

Sorry, zero budget. I'm talking about the support of 5-8 clients maximum anyhow. My 515 has zero load problems.

>* Using additional interface at pix1 might be possible but >this is a complex solution, and I would try other options >before.

All the options you presented thus far I have investigated, that's why I'm unfortunately at this option and exploring it.

Thanks!

 
Upvote 0 Downvote
HI.

Another option that you can try is a NAT device (W2K RRAS server/Linux/Cisco) on the pix1 LAN that will act as a proxy but at the network layer so this might be a no budjet solution.
Or maybe even a basic router without NAT at the pix1 LAN, that will be configured as gateway (for the VPN client) to access the ASP.
I never did try such implementations, but you can..

Here is how to do it with 2 pix interfaces:

> Sorry, zero budget.
Don't take this definitely.
If you need the budjet to let people work in a stable network, it can be found.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks for the info, it's complicated, possibly doable. I need to digest it. Thanks again Yizhar!

 
Upvote 0 Downvote
If you have a PIX 515 on your end, and one of the interfaces is not being used, you can do it!

The problem is that the PIX will not intelligently route traffic, and the traffic from your VPN client that is destined for the ASP would have to be redirected out the same interface that it came in. Unfortunately, the PIX is not friendly with this, and CISCO suggests you use a VPN concentrator... No need.

If you have a free interface, and a free IP address in your public range of PIX1, you can assign the free interface another valid IP address in the range and point it to the default gateway as well. Cisco PIX doesn't permit two interfaces on the same network, so you can fool with the subnet mask to trick the IOS.

Conceptually, it will look like this...
___________
| |
Network a ----- PIX 1 ----(default GW)------PIX 2-ASP

Now, here is the trick. Make one of the interfaces, ususally outside, the destination interface for the VPN clients. Now, use the IP address that you assigned to the other interface to create your VPN tunnel to the ASP. It should be straightforward, all you will need to ask them to do is to change the IP address that they have in their config for the partner PIX.

I hope this helps, if you need more details, please let me know. I have implemented this in a multi-national 10 location setup and it works great.

Jcanuk
 
Upvote 0 Downvote
This is what I was being led to believe by some others. Can you give me a quick illustration of what you mean by &quot;fool with the subnet mask to trick the OS&quot; ? I've already got a pretty small network subnet down for my external interface net, but I have a few IP's available that I could do this. I definitely have open interfaces.

Thanks!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
246
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
297
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
325
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
204
AllenH12
AllenH12
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top