PIX VPN client question: Is this possible?

[jcanuk]

Just a quick is this possible scenario.


10.2.2.0 DMZ
|
10.1.1.0----PIXA===VPN Tunnel====PIXB-----10.1.7.0
||
||
VPN Client

I have the Cisco VPN client 3.x.

I would like to create a vpn to pix A, and make the client be able to access both networks 10.1.1.0 and 10.2.2.0 on the dmz. Is this possible?

If this is, then on to the next question. I have a VPN tunnel between PIX A and PIX B that is established. Is it possible for the VPN client to be able to access resources on Network 10.1.7.0 via the connection to PIX A?

Just curious on the limitations of the PIX VPN client implementation.

Jcanuk

 

[dawookie]

The ascii drawing is a bit distorted but I think I see what you mean. To answer your questions in order:

If you configure you access lists for static 0 correctly as well as your address pool, yes, you can access multiple subnets inside a PIX. I am doing the same thing at my office.

Unfortunately the answer to the second question is not unless the VPN client <=> PIXA tunnel is over a different interface than the PIXA <=> PIXB tunnel. The PIX quite happy to send traffic between interfaces but cannot forward traffic out the same (physical) interface it recieved the traffic on. Cheers

man(1) is your friend

 

[jcanuk]

Dawookie,

Thanks for the advice, the PIX complains about having another interface on the same network as the outside interface...

Is the solution to simply disguise it behind another subnet mask?
Static routes necessary?

Thanks,
Jcanuk

 

[rborel]

I tried to setup that exact config. In short. NO, according to the Cisco TAC engineer that worked on it with me. Basically, its because the traffic from the VPN Client can't come in a VPN Tunnel and be re-directed back out a VPN Tunnel the PIX doesn't know what to do with that traffic.

Creating the static routes won't help it either.

dawookie's right, the traffic can't come in, be translated, and sent back out the same interface. (remember a PIX is NOT a router, it cannot/will not route traffic).

 

[yizhar]

HI.

The VPN client cannot access the 10.1.7.0 network, but there are some ways to do it:
* Create an additional VPN from client directly to PIXB.
* Use a terminal server on the PIXA network.
* Use some kind of a proxy server on PIXA network.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[jcanuk]

Actually,

I have solved it, and the answer is that this is a possible solution. Cisco TAC is not supportive and doesn't seem to acknowledge it, but here goes the description in a quick way.

First, rBorel and daWookie, you guys are right in saying that the pix can't route stuff back out the same interface... however, it can route it out a different interface.

Being that pixa is important to the company, it is a 515E with 4 port nic on it. This allows us to set up an extra interface on the outside network. To do this, I had to fool the cisco pix by specifying a different subnet mask. It's a little tricky, but trust me it works.

The gist of it is then that you set up all your vpn site to site tunnels via this new interface, called (vpnif) if you will. The client then accesses the pix from the outside interface. Now, becuase tunnel traffic is out a different interface than the incoming, the pix can intellegently route it to the destination. With some careful access-list and nat 0 statements, this is completely possible and I just accomplised it. Special thanks to a fellow canadian for the critical help.

If you need/want further clarification, let me know.

Regards,
Jcanuk