RA VPN routing beyond firewall interfaces

Unanswered Question
Oct 28th, 2008

I currently have a PIX 515E running 7.2 code. I have a remote access IPsec VPN tunnel set up. I have an inside interface with with a few internal servers etc. The remote access VPN clients get an ip from a pool of They can communicate with anything on the 192.168.1.x network fine, that part is simple. The problem I am looking for an answer to is to be able to route beyond the pix. So say that all the 192.168.1.x clients in the local office nat to a public ip of, which gives them access to the internet, and some other devices within our local AS that only allow that IP by a telnet / ssh ACL. Is it possible to have the remote access VPN clients nat to that public IP somehow over the VPN tunnel to give them access to the equipment beyond the firewall?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
singhsaju Wed, 10/29/2008 - 07:56

Hi Jason,

I do not think you will be able to NAT pool ip to public ip address if you are terminating VPN clients on the same outside interface where you have configured ip as described above. If you have enabled "same-security-traffic permit intra-interface " , the vpn client traffic will be redirected to internet with source ip and not

The only solution i can think of is that you can do vpn and then do telnet to router/host in 192.168.1.x subnet and from there initiate telnet/ssh to other hosts in your network.




This Discussion