Solved: 3.xVPN Client to PIX to Internet

tmarlow · ‎11-11-2003

the Remote Access VPN between the client and the PIXv6.2 works great. We attach to the outside interface of the PIX and it allows us to access resources on the Inside. What do I need to do to get the remote vpn clients access to the DMZ? Is it a translation for the vpn pool to the DMZ? Without using split-tunneling down to the client, can they gain Internet access out the PIX that they just came into via their tunnel? Does a proxy have to be setup? Thanks everybody.

gfullage · ‎11-11-2003

You'll currently have something like:

access-list nonat permit ip

nat (inside) 0 access-list nonat

To get access to hosts on the DMZ interface, add the following:

access-list nonatdmz permit ip

nat (dmz) 0 access-list nonatdmz

Also, without doing split tunnelling the VPN clients can't come into the PIX over the tunnel and then go back out the same interface to the Internet. The PIX won't send a packet back out the same interface it came in on, that includes encrypted and non-encrypted traffic. Sorry, no way around it.

View solution in original post

gfullage · ‎11-12-2003

Correct. Basically "nat 0" says don't nat this traffic. Because NAT happens BEFORE encryption within the PIX, you have to specifically tell the PIX not to nat the traffic that will be encrypted, otherwise the pix will nat the return traffic first, THEN compare it to its crypto access-list and becuase it's already been nat'd, it won't match it and won't get encrypted.

Because this traffic is coming in on the dmz interface, you have to add a "nat (dmz) 0" statement to tell the PIX not to nat this traffic specifically also.

View solution in original post

gfullage · ‎11-11-2003

You'll currently have something like:

access-list nonat permit ip

nat (inside) 0 access-list nonat

To get access to hosts on the DMZ interface, add the following:

access-list nonatdmz permit ip

nat (dmz) 0 access-list nonatdmz

Also, without doing split tunnelling the VPN clients can't come into the PIX over the tunnel and then go back out the same interface to the Internet. The PIX won't send a packet back out the same interface it came in on, that includes encrypted and non-encrypted traffic. Sorry, no way around it.

tmarlow · ‎11-12-2003

Thanks for the clear answer. I had issues trying to reconcile the fact that you have to have a translation to talk to different interfaces on the PIX and how the "nat (interface) 0" command bypasses that rule.

I have no global nat statement configured for the DMZ and only do static translations for people on the inside that need to talk to devices in the DMZ. I believe that the above command doesn't care and will pass the IP's from the "VPN pool" into the DMZ anyway?

gfullage · ‎11-12-2003

Correct. Basically "nat 0" says don't nat this traffic. Because NAT happens BEFORE encryption within the PIX, you have to specifically tell the PIX not to nat the traffic that will be encrypted, otherwise the pix will nat the return traffic first, THEN compare it to its crypto access-list and becuase it's already been nat'd, it won't match it and won't get encrypted.

Because this traffic is coming in on the dmz interface, you have to add a "nat (dmz) 0" statement to tell the PIX not to nat this traffic specifically also.

fiocchi.maurizio · ‎03-01-2004

If I don't want to use the split tunneling features can I configure a DMZ interface as IPSEC peer to forward the internet traffic through the outside interface (and the intranet traffic to the inside interface)

Thanks