Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Outbound VPN & NAT

Status
Not open for further replies.
br0ck

br0ck

MIS
Apr 25, 2002
467
US
ok i have two other post that refer to this project and it's getting clearer but still some bugs

ok i understand i need a static or global addresses to create an outbound vpn tunnel
(PAT will not work)
i have 3 available public ip's if needed

“This will not work with PAT, but can work with NAT if you have enough addresses, or you'll need to map STATIC addresses to each vpn client.”

now i have a Citrix server that the VPN client is installed
this server also has a static statement to put it on the internet
this should cover the above (if not please advise)

static (inside,outside) CitrixServer Citrix_LAN netmask 255.255.255.255 0 0

in my access lists i have:
access-list 100 permit tcp any host CitrixServer eq citrix-ica
access-list 100 permit udp any host CitrixServer eq 1604
access-list 100 permit icmp any any
access-list 100 permit udp host CitrixServer eq isakmp any eq isakmp
access-list 100 permit esp host CitrixServer any
acc-g 100 in interface outside

now do I need the isakmp and esp access-lists with the ip of the vpn GW or my client

Please,Please,Please help
Brock D. Mowry
Hardware Specialist
 
Sort by date Sort by votes
The following lines allow the VPN L2TP and PPTP tunnel connections to come back through your firewall (client side).

access-list 100 permit udp host vpnserverip host clientoutsideip eq 1701
access-list 100 permit gre host vpnserverip host clientoutsideip

Of course you could replace either IP with "any" which will allow 1 client to connect to any vpn server, any client to connect to one VPN server, or any client to connect to any VPN server.

Setting "clientousideip" to the outside address of your Citrix server ("CitrixServer" in your example above) should allow any client logged on to the Citrix server to connect to the specified VPN server (or any).

This is all you should need in conjunction with the global command and static mappings.
 
Upvote 0 Downvote
HI.

The following commands are with wrong syntax:
access-list 100 permit udp host CitrixServer eq isakmp any eq isakmp
access-list 100 permit esp host CitrixServer any

It should be like this:
access-list 100 permit udp any host CitrixServer eq isakmp
access-list 100 permit esp any host CitrixServer
acc-g 100 in interface outside

(Instead of "any", you can use "host x.x.x.x" to define the ip address of the remote VPN server).

What kind of VPN is it (Cisco, CheckPoint, MS, IPSec, etc)?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
329
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
299
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
367
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top