Outside to PIX VPN back to outside

[flyman72]

Is this possible?

I want to allow a remote VPN client to connect to my inside network and pick up a private address for use so that user appears to be connected locally (this works!) but still be able to connect to outside live addresses and the web through the NAT running on the same PIX as the VPN. (this doesn't work!)

This means that the incomming connection gets NAT'ed to a private address and then re NAT'ed back to one of our live NAT pool address and on to our routers and the internet.

I am new to PIX firewalls and mainly having problems getting to grips with the VPN stuff.

We have a PIX 520 with o/s version 6.2

Thanks in advance.
Gavin

 

[marsmann]

Yes, this can be done.

In PIX, you can set up a client to site VPN as you have done, and allow your remote user access to the Internal network and also be able to not use NAT for external web usage. The key is DNS. Internal DNS makes this possible, if you are not using internal DNS, and supplying your VPN clients with external DNS you will not be able to do this.

see below for examples:


** define access-list for vpn clients **

access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0


** vpn client pool **

ip local pool clients 172.16.1.1-172.16.1.254


** disallow NAT for vpn clients **

nat (inside) 0 access-list 101


** in your vpngroup (assuming vpn client 3x or newer)**

vpngroup mygroup address-pool clients
vpngroup mygroup dns-server 192.168.1.2
vpngroup mygroup default-domain mydomain.com
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********

the key above is split-tunnel. You NEED this to be able to do what you are trying to do. Make sure all your crypto commands and isakmp commands are good which it sounds like they are since the vpn works...

split tunnel and DNS will give you what you are looking for.

- Mars.