Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is this even possible? Client VPN traffic through a PIX to another VPN?

Hi, I'd just like to find out if the following is actually technically possible? I'm begining to think I'm trying to implement a solution that simply isn't possible.

I have the following:

VPN Clients<->CiscoPix506e<->Cisco3000

The VPN clients run a IPSEC VPN to the Cisco PIX 506e and can access it's "internal network" just fine.

The Cisco pix runs a VPN to another company where all network traffic is nat'ed to a single RFC1918 IP address before going out of the tunnel (requirement of the other company to avoid address overlap issues)

and everyone on the "internal network" can access that VPN just fine.

I want people using the VPN client to be able to access the other site to site VPN. I think that the forced NAT to the external company VPN is a problem.

All examples for VPN to VPN transversal I see specify that NAT must be disabled along the entire path. I can't do that in this situation. Is it possible to make this work?

I'm guessing with one good ACL statement all my problems will be solved.

If you say just get the users to connect to the cisco 3000 rather than transversing my network. I have the following reasons not to. I have no access to the cisco 3000 vpn concentrator, and a very limited amount of tunnels that they will open for my company. I have been tasked to implement a solution to ease employees lives (so they only have to run one VPN tunnel at once to do all their work). At the moment they need to access systems inside our corporate network as well as the external company via the site to site VPN (its a web app actually). They can do this in the office but obviously not from home if they are trying to use remote access.

I've attached a PDF example network diagram to help explain the situation.

Networks Address' of each are the following (real address's change to protect the innocent :) ):

VPNCLIENTS

192.168.10.0/24

Internal Network

192.168.1.0/24

External VPN End point

192.168.20.0/24

Address used for NAT on VPN

172.16.1.1/32

relevant IOS config

ip local pool VPN-CLIENTS 192.168.10.1-192.168.10.254

access-list inside permit ip any any

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list EXTERNAL-ACL-VPN permit ip host 172.16.1.1 192.168.20.0 255.255.255.0

access-list EXTERNAL-ACL-NAT permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

ip address outside a.b.c.d 255.255.255.0

ip address inside 192.168.10.1 255.255.255.0

global (outside) 2 interface

global (outside) 1 172.16.1.1

nat (inside) 0 access-list NONAT

nat (inside) 1 access-list EXTERNAL-ACL-NAT 0 0

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 a.b.c.d 1

Thanks,

Jason.

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Is this even possible? Client VPN traffic through a PIX to a

From your scenario description, I understand that you are trying to route traffic out the same interface on which it was received on the PIX. This is called hair-pinning of traffic and is not currently supported in PIX (6.3).

3 REPLIES
Bronze

Re: Is this even possible? Client VPN traffic through a PIX to a

From your scenario description, I understand that you are trying to route traffic out the same interface on which it was received on the PIX. This is called hair-pinning of traffic and is not currently supported in PIX (6.3).

New Member

Re: Is this even possible? Client VPN traffic through a PIX to a

Thankyou so much for answering. The irony is I logged a support call with Cisco for this problem and got an answer (same resolution) on the same day you answered this post.

I was about to come back and answer my own question for the benefit of others.

Ahhh if only I could of known this sooner. I've spent about 2 week agonizing over this problem, posted to this forum multiple times with no answer, and engaged 2 CCIE's, none of whom were familar enough with the PIX to know this limitation, and engaged Cisco tech support. Ahh the pain... :)

New Member

Re: Is this even possible? Client VPN traffic through a PIX to a

It is supported in PIX 7.0 and later, but this requires at PIX515 or better.

116
Views
5
Helpful
3
Replies