FTP thru a VPN (is the client inside or outside from the Pix's viewpt.

[HUANGDI]

Built the VPN; remote CISCO 3.6.3 client and terminated it to the PIX 520. It works great with the split-tunnel. I am having a problem with getting the remote client the ability to ftp. First of all, the VPN tunnel gives him access to the inside network. I want him to have the ability to ftp to a webserver in the DMZ (10.1.10.5).

the iplocal pool is 192.168.100.20-25.
the inside range is 192.168.10.1-30.

I am having problem with the realtionship of where the packet is coming from in the sense is the VPN iplocal address outside or inside in relation to the DMZ considing the nat 0 for the VPN.

I have come a long way on this implementation adventure and it's been a hoot, but this is the final part and what to finish it correctly. Speaking PIX is a real treat.

Any thoughts or comments would be appreciated.

Thanks,
BB

 

[yizhar]

HI.

From the pix point of view, VPN clients are coming from the outside interface, so for all translation rules it is like other inbound (low to high security level) connections.

You need to use either the static mapping (use the external ip address mapped to the web server) or use "nat (dmz) 0 access-list ...".
For the first option (ftp client connects to web server external ip) to work, you will probably need to modify the split-tunnel access-list to include that registered ip.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar