Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN access to a server locate in outside

Status
Not open for further replies.
Adr3nalin

Adr3nalin

MIS
Aug 4, 2002
57
NZ
Hi all,

i have configured VPN Client ver 3.5.1/IPSEC/IAS RADIUS using PIX515E version 6.1
with this command
nat (inside) 0 access-list ...
nat (dmz) 0 access-list ....

it works great, we could access to all servers locate in dmz and in inside network via the VPN CLient

we have a server that was put between two firewall.
--- FW1---SERVERA----PIX515E----

these serverA is not natted, and use the internet ip address.

the question is, is it possible to access this box via VPN connection ? if yes, how or which command i have to put it in PIX ? thanks in advance for your help. :)





 
Sort by date Sort by votes
HI.

Where is SERVERA connected to from the pix point of view?
Is SERVERA on the "outside" of the pix?
If so, why do clients need the VPN tunnel and do not access SERVERA directly?
Or maybe this is the correct diagram:
SERVERA - FW1 - Internet - Pix outside
???
And how do internal hosts access SERVERA?
Is there an additional VPN tunnel? access-list?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hi Yizhar...

the config is:

from public network, traffic is filtered with first Firewall (pass through / no nat translation, only do packet filtering ) to a network with internet ip address where ServerA belongs (the reason we put serverA in here cause this server has some services that incompatible with NAT)and then this network is bock again with the PIX firewall (do NATting, have outside, dmz and inside interface)

the PIX also configured as VPN server (IPSEC),
and the client from internet could access the DMZ and inside network through Cisco VPN client.
i would like this client could control (for example using terminal services ) to this BOX, for security consideration we do not want to open the first firewall that port...
and prefer using the VPN first..

thanks.

 
Upvote 0 Downvote
HI.

Well, the pix will never forward packets back to the interface it came from, so you should find other solution, for example:

* Decide if you realy need to remote control that server.

* Install an additional TS on the "inside" of the pix.
The remote adminitstartor will access it first, then access SERVERA from it.

* Install PCAW or other remote control app on that server, but set it only for manual start-up, and open required port at FW1. When remote control is needed, a local person will need to launch the remote control server on SERVERA.
This is of course more secure then always waiting but I don't know if it is practical for you.

* Setup SERVERA as a VPN server for accessing the server itself. A remote manager will need to establish VPN connection to SERVERA before accessing it with TS.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
697
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
602
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
732
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
596
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
160
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top