RA VPN routing beyond firewall interfaces

Jasonch518_2 · ‎10-28-2008

I currently have a PIX 515E running 7.2 code. I have a remote access IPsec VPN tunnel set up. I have an inside interface with 192.168.1.1 255.255.255.0 with a few internal servers etc. The remote access VPN clients get an ip from a pool of 10.180.180.1-10.180.180.5. They can communicate with anything on the 192.168.1.x network fine, that part is simple. The problem I am looking for an answer to is to be able to route beyond the pix. So say that all the 192.168.1.x clients in the local office nat to a public ip of 5.5.5.5, which gives them access to the internet, and some other devices within our local AS that only allow that IP by a telnet / ssh ACL. Is it possible to have the remote access VPN clients nat to that public IP somehow over the VPN tunnel to give them access to the equipment beyond the firewall?

Thanks.

singhsaju · ‎10-29-2008

Hi Jason,

I do not think you will be able to NAT pool ip to public ip address if you are terminating VPN clients on the same outside interface where you have configured ip 5.5.5.5 as described above. If you have enabled "same-security-traffic permit intra-interface " , the vpn client traffic will be redirected to internet with source ip 10.180.180.1-5 and not 5.5.5.5

The only solution i can think of is that you can do vpn and then do telnet to router/host in 192.168.1.x subnet and from there initiate telnet/ssh to other hosts in your network.

HTH

Saju