VPN Client to Pix, Then Overload NAT Pool Address

Unanswered Question
Mar 22nd, 2007
User Badges:

Hi Everyone:


When a remote access vpn user connects into my pix, I want to allow said user to traverse to a router (through another interface on the firewall) but hide the pool addresses. Is this possible?


What if the user came into me via a site-to-site tunnel, could this work as well?


My reason is simplicity (and security), I don't want the router to see users' LAN address (in case of site-to-site) or assigned pool address. My intention is to overload to the outgoing interface's address. I'm using pix 6.


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
carenas123 Wed, 03/28/2007 - 06:37
User Badges:
  • Silver, 250 points or more

Cisco router have feature call, VPN pass-trough, that might help to solve your issue.


In order to allow the VPN traffic to pass-through the router, configure an access list that allows these protocols and ports:


Encapsulating Security Payload (ESP) protocol (IP Protocol 50) or Authentication Header (AH) protocol (IP Protocol 51) between the user and the VPN server


User Datagram Protocol (UDP) port 500

UDP port 4500



Refer to this access-list configuration example:


access-list 101 permit esp any anyaccess-list 101 permit udp any any eq 4500access-list 101 permit udp any any eq 500


Once the access-lists are created, bind these to the interface based on the direction, either inbound or outbound, with this command:

ip access-group 101 {in | out}



Actions

This Discussion