Remote VPN with NAT.

Unanswered Question
Jan 15th, 2010

Hi all,


IM solving problem with next:


Our employees connect to our network remotely with Cisco VPN client and can access any resorces inside network.

We have NAT 0 configured so they sessions appear inside network  with IPs from VPN pool assigned. We have PIX with inside and outside iterface.


But we need to access outside resources through VPN.


So my question is when traffic get out from VPN tunel what NAT, ACLs should I configure to access outside resources (in Internet)? From inside to outside or should I create loopback inerface?


Pls. send me any example.


BR

gg

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ricardo Prado Rueda Tue, 01/19/2010 - 09:52

Hi,

   To get Internet Access while the IPSEC VPN Client is connected to your PIX, you have two options:


A. Use split-tunneling, this configuration will tell the VPN client which traffic needs to be encrypted, everything else will be sent out the local Internet connection on the Client's end:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml


B. Use the option of hairpining (U-Turn) on the PIX to provide Internet access to the connecting VPN Clients. The only restriction here is that your PIX needs to be running at least version 7:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml


   The basic configuration for this setup is as follows:


NAT CONFIGURATION


access-list remotelan permit ip 255.255.255.0 any


nat (outside) 1 access-list remotelan
global (outside) 1 interface


U-TURN


same-security-traffic permit intra-interface


   The rest of the configuration remains the same.



Regards,


Rick.

Actions

This Discussion