I have what I think is a simple scenario but I can't find a way to implement a solution.
I have the following:
The VPN clients run a IPSEC VPN to the Cisco PIX 506e and can access it's "internal network" just fine.
The Cisco pix runs a VPN to another company where all network traffic is nat'ed to a single RFC1918 IP address before going out of the tunnel (requirement of the other company to avoid address overlap issues)
and everyone on the "internal network" can access that VPN just fine.
I want people using the VPN client to be able to access the other VPN. I think that the forced NAT to the external company VPN is a problem.
All examples for VPN to VPN transversal I see specify that NAT must be disabled along the entire path. I can't do that in this situation. Is it possible to make this work?
I'm guessing with one good ACL statement all my problems will be solved.
I've attached a PDF example network diagram to help explain the situation.
Networks Address' of each are the following (real address's change to protect the innocent :) ):
External VPN End point
Address used for NAT on VPN
relevant IOS config
ip local pool VPN-CLIENTS 192.168.10.1-192.168.10.254
access-list inside permit ip any any
access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list EXTERNAL-ACL-VPN permit ip host 172.16.1.1 192.168.20.0 255.255.255.0
access-list EXTERNAL-ACL-NAT permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
Mainly for cost, maintenance, and speed of deployment, reasons. The staff connecting are using xauth and tokens (authing off an internal radius server) to log in. That functionalty and level of control isn't available through the "external vpn" company.
Staff currently have to RDP into the company's internal network, and then launch a browser (inside their RDP session) to access the external VPN applications. I would prefer a more seamless experience for the end user.
My desired solution would mean the end user only needed one VPN session that would allow access to the internal network and external VPN at the same time. Slighter easier user experience.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...