cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
356
Views
0
Helpful
1
Replies

Remote VPN with NAT.

gabrielgr
Level 1
Level 1

Hi all,

IM solving problem with next:

Our employees connect to our network remotely with Cisco VPN client and can access any resorces inside network.

We have NAT 0 configured so they sessions appear inside network  with IPs from VPN pool assigned. We have PIX with inside and outside iterface.

But we need to access outside resources through VPN.

So my question is when traffic get out from VPN tunel what NAT, ACLs should I configure to access outside resources (in Internet)? From inside to outside or should I create loopback inerface?

Pls. send me any example.

BR

gg

1 Reply 1

Ricardo Prado Rueda
Cisco Employee
Cisco Employee

Hi,

   To get Internet Access while the IPSEC VPN Client is connected to your PIX, you have two options:

A. Use split-tunneling, this configuration will tell the VPN client which traffic needs to be encrypted, everything else will be sent out the local Internet connection on the Client's end:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

B. Use the option of hairpining (U-Turn) on the PIX to provide Internet access to the connecting VPN Clients. The only restriction here is that your PIX needs to be running at least version 7:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

   The basic configuration for this setup is as follows:

NAT CONFIGURATION

access-list remotelan permit ip 255.255.255.0 any

nat (outside) 1 access-list remotelan
global (outside) 1 interface

U-TURN

same-security-traffic permit intra-interface

   The rest of the configuration remains the same.

Regards,

Rick.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: