Remote VPN with NAT.

Unanswered Question
Jan 15th, 2010

Hi all,

IM solving problem with next:

Our employees connect to our network remotely with Cisco VPN client and can access any resorces inside network.

We have NAT 0 configured so they sessions appear inside network  with IPs from VPN pool assigned. We have PIX with inside and outside iterface.

But we need to access outside resources through VPN.

So my question is when traffic get out from VPN tunel what NAT, ACLs should I configure to access outside resources (in Internet)? From inside to outside or should I create loopback inerface?

Pls. send me any example.

BR

gg

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ricardo Prado Rueda Tue, 01/19/2010 - 09:52

Hi,

   To get Internet Access while the IPSEC VPN Client is connected to your PIX, you have two options:

A. Use split-tunneling, this configuration will tell the VPN client which traffic needs to be encrypted, everything else will be sent out the local Internet connection on the Client's end:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

B. Use the option of hairpining (U-Turn) on the PIX to provide Internet access to the connecting VPN Clients. The only restriction here is that your PIX needs to be running at least version 7:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

   The basic configuration for this setup is as follows:

NAT CONFIGURATION

access-list remotelan permit ip 255.255.255.0 any

nat (outside) 1 access-list remotelan
global (outside) 1 interface

U-TURN

same-security-traffic permit intra-interface

   The rest of the configuration remains the same.

Regards,

Rick.

Actions

This Discussion