11-11-2003 03:06 PM
the Remote Access VPN between the client and the PIXv6.2 works great. We attach to the outside interface of the PIX and it allows us to access resources on the Inside. What do I need to do to get the remote vpn clients access to the DMZ? Is it a translation for the vpn pool to the DMZ? Without using split-tunneling down to the client, can they gain Internet access out the PIX that they just came into via their tunnel? Does a proxy have to be setup? Thanks everybody.
Solved! Go to Solution.
11-11-2003 09:35 PM
You'll currently have something like:
access-list nonat permit ip
nat (inside) 0 access-list nonat
To get access to hosts on the DMZ interface, add the following:
access-list nonatdmz permit ip
nat (dmz) 0 access-list nonatdmz
Also, without doing split tunnelling the VPN clients can't come into the PIX over the tunnel and then go back out the same interface to the Internet. The PIX won't send a packet back out the same interface it came in on, that includes encrypted and non-encrypted traffic. Sorry, no way around it.
11-12-2003 03:47 PM
Correct. Basically "nat 0" says don't nat this traffic. Because NAT happens BEFORE encryption within the PIX, you have to specifically tell the PIX not to nat the traffic that will be encrypted, otherwise the pix will nat the return traffic first, THEN compare it to its crypto access-list and becuase it's already been nat'd, it won't match it and won't get encrypted.
Because this traffic is coming in on the dmz interface, you have to add a "nat (dmz) 0" statement to tell the PIX not to nat this traffic specifically also.
11-11-2003 09:35 PM
You'll currently have something like:
access-list nonat permit ip
nat (inside) 0 access-list nonat
To get access to hosts on the DMZ interface, add the following:
access-list nonatdmz permit ip
nat (dmz) 0 access-list nonatdmz
Also, without doing split tunnelling the VPN clients can't come into the PIX over the tunnel and then go back out the same interface to the Internet. The PIX won't send a packet back out the same interface it came in on, that includes encrypted and non-encrypted traffic. Sorry, no way around it.
11-12-2003 06:32 AM
Thanks for the clear answer. I had issues trying to reconcile the fact that you have to have a translation to talk to different interfaces on the PIX and how the "nat (interface) 0" command bypasses that rule.
I have no global nat statement configured for the DMZ and only do static translations for people on the inside that need to talk to devices in the DMZ. I believe that the above command doesn't care and will pass the IP's from the "VPN pool" into the DMZ anyway?
11-12-2003 03:47 PM
Correct. Basically "nat 0" says don't nat this traffic. Because NAT happens BEFORE encryption within the PIX, you have to specifically tell the PIX not to nat the traffic that will be encrypted, otherwise the pix will nat the return traffic first, THEN compare it to its crypto access-list and becuase it's already been nat'd, it won't match it and won't get encrypted.
Because this traffic is coming in on the dmz interface, you have to add a "nat (dmz) 0" statement to tell the PIX not to nat this traffic specifically also.
03-01-2004 03:13 AM
If I don't want to use the split tunneling features can I configure a DMZ interface as IPSEC peer to forward the internet traffic through the outside interface (and the intranet traffic to the inside interface)
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide