I remember someone posting about being able to allow VPN/PPTP clients to be able to access a tunnel VPN with 6.3.1 with VLANS through the same PIX they are VPNed into. I have this need now and am trying to find some solutions. Here is the layout:
192.168.1.0 -> PIX -> Internet <- PIX <- 192.168.2.0
VPN Tunnel between PIXs across internet
both internal networks can communicate fine with each other.
now I have several home users who PPTP in to the 192.168.1.0 PIX and are unable to access the 192.168.2.0 network. I believe this is due to the fact that the 192.168.1.0 PIX will not allow requests that came in from its external interface, to go back out its interface for security reasons.
Is there now a way around this?
I would appreciate any links or documentation on how to implement this new feature.
You still can't do this unfortunately, even with 6.3 code.
Well, I guess you could use the new VLAN support feature in 6.3, but it still means the clients need to connect in on a different interface than the LAN-to-LAN tunnel, that hasn't changed. You'd have to set up two external interfaces with two different IP addresses, have your clients connect in on one and have the LAN-to-LAN connect in on another. Even though these would physically be the one interface, logically to the PIX they're separate and so the re-routing works fine.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...