Cisco VPN Client and NAT

[Silene]

Hi

Can anyone tell me whether what I am trying to do is possible. At the moment we have remote users authenticating into the PIX firewall with VPN client 3.5, where they are allocated a 192.168.0 address from the VPN pool. We now would like them to also have access to a sister site which means going outside the pix into a lesser security area and across a VPN over the internet.
I have set up NAT for the relevant addresses so that it
will give them a routeable address, but nothing seems to happen. If you do a show xlate while attempting to get out again there is no activity.
It has occurred to me that what I am trying to do is not actually possible, ie you can't NAT the psuedo IP address from the VPN pool. Any ideas, or can I do this some other way?
Thanks

 

[sunyasee]

I think you'll need a VPN concentrator to do this as you can't route back out the same interface you have the VPN tunnel terminating on. ----

Sunyasee B-)

 

[yizhar]

HI.

The pix will not allow any traffic from outside to go back outside, including VPN tunnels.

As synyasee wrote, a VPN concentrator or any other VPN server which is not the pix itself can do this.
Some other options are Terminal Server or Proxy on your inside network.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[jcanuk]

Yizhar, Synyasee,

What if Silene used the split-tunneling feature of the VPN client? At least on client 3.6.3, this will allow you to define an encryption domain for your "tunneled traffic" and the rest is sent unencrypted to your default gateway. At least that is my understanding. Does anyone want to clarify this?

Also, if you have successfully used split-tunneling, please let me know, I am in the middle of unsuccsessfully trying to configure it on a pix 515E with 6.2 from a 3.6.3 client.

Regards,
JCanuk