Ive setup the concentrator going through the PIX Ive placed it in a DMZ with the public interface directly connected to the internet and the private connected to the DMZ.
I can connect to the concentrator on its private interface (from our network to DMZ) to administer it. I have set up static mappings in to the DMZ for the servers we need access to with VPN and I can ping those servers from the concentrator. When I connect in with WebVPN I can connect to those servers no problem.
The problem is when I connect using the VPN client. When using the client the users can connect in and are authenticated using NT authentication (can connect to our domain controller for authentication) but after that they cannot access the servers I have mapped into the DMZ. I have setup a pool of addresses for VPN client users and have made sure that these addresses are not NATed on the firewall using NAT 0 192.168.2.0 255.255.255.0 192.168.2.0 are the pool of addresses VPN clients are assigned. Also setup the access lists on the firewall and the hit counts are going up when I ping but no connection. It seems the client addresses are not connecting through the PIX.
Ideally I would like to set up pools or individual addresses on the concentrator and control access on the PIX as to what access those assigned IP address have.
Has anyone done this before can anyone help, please...
I have set up something like this in the past. Could you clarify some details?
1. "I have set up static mappings in to the DMZ for the servers we need access to with VPN "
- I'm interpreting that the servers reside on the 'inside' network. In addition, you have static NAT mappings (inside,dmz) so that the VPN clients can access them coming from the 'DMZ' network. Is this correct?
You might want to :
1. Check your NAT statements. NAT/Global are used when traffic initiates from higher security interface to a lower security interface. Static is used when you initiate traffic from a lower to a higher security interface. The VPN client addresses are coming from the DMZ. It has a lower security number than the inside.
2. The PIX , by default, blocks traffic initiating from a lower to a higher security interface. Make sure you have an ACL allowing your VPN client pool into the 'inside' network.
3. If you think your NAT and ACLs are set up correctly, then make sure your routes are set up on the Concentrator and PIX correctly (for the VPN client address pool).
4. Does the VPN concentrator have any network lists applied to the IPSec group? Can you ping from a VPN client to the VPN concentrator private interface?
Guys many thanks for your replies I have now discovered what the problem was. The ip addresses that I had assigned the VPN clients was on a different subnet so they would connect in and then have no connectivity on the DMZ which is why web VPN worked, I believe you assigned the ip address of the private interface with web VPN hence why it worked and VPN clients didnt, simple really.
In answer in your reply jackko I agree it is a good idea to have the public interface also protected but I only have one interface on the PIX available and so need to consider what is more of a priority, protecting the public interface or internal LAN from a variety of VPN users. The reason why I say this is because I can assign ip addresses once VPN users are connected in I can restrict access to the LAN on these address so I know who can do what, for example external suppliers only have access to the servers they require on RDP or certain internal users can only get to specific resources on the LAN.
With protecting the external interface, not knowing the specific IP addresses that required access in it would be difficult for me to setup efficient access rules.
Maybe Im wrong but from my understanding I believe this is the best approach, any thoughts would be appreciated.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...