Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RA VPN routing beyond firewall interfaces

I currently have a PIX 515E running 7.2 code. I have a remote access IPsec VPN tunnel set up. I have an inside interface with 192.168.1.1 255.255.255.0 with a few internal servers etc. The remote access VPN clients get an ip from a pool of 10.180.180.1-10.180.180.5. They can communicate with anything on the 192.168.1.x network fine, that part is simple. The problem I am looking for an answer to is to be able to route beyond the pix. So say that all the 192.168.1.x clients in the local office nat to a public ip of 5.5.5.5, which gives them access to the internet, and some other devices within our local AS that only allow that IP by a telnet / ssh ACL. Is it possible to have the remote access VPN clients nat to that public IP somehow over the VPN tunnel to give them access to the equipment beyond the firewall?

Thanks.

1 REPLY
Silver

Re: RA VPN routing beyond firewall interfaces

Hi Jason,

I do not think you will be able to NAT pool ip to public ip address if you are terminating VPN clients on the same outside interface where you have configured ip 5.5.5.5 as described above. If you have enabled "same-security-traffic permit intra-interface " , the vpn client traffic will be redirected to internet with source ip 10.180.180.1-5 and not 5.5.5.5

The only solution i can think of is that you can do vpn and then do telnet to router/host in 192.168.1.x subnet and from there initiate telnet/ssh to other hosts in your network.

HTH

Saju

108
Views
0
Helpful
1
Replies
CreatePlease to create content