Re: Internet access for VPN client

From: Frank Winkler <frank-usenet@xxxxxxxxxxxxxx>
Date: Thu, 10 May 2007 11:24:39 +0200

bbkz@xxxxxxxxxxx wrote:

> Moving endpoint from PIX to router... Do you mean like the below:
>
>Now: vpn client-->internet-->PIX501-->local lan-->ROUTER-->internet
>Change to: vpn client-->internet-->VPN ROUTER-->local lan-->PIX501--internet

No, you could keep the upper topology with one difference: currently, the VPN tunnel terminated at the PIX and form there on, it's pure IP through the LAN. What you need is an IPsec tunnel through the PIX right to the router (if it's a VPN router), connecting to a different IP address from the client.
Or you could access the router directly from the Internet, bypassing the PIX. But this depends on your network topology, which I don't know.

>That means I need to buy another VPN router. Is that all vpn routers
>can do this job? If yes, than maybe I can go get a cheap one.

If your current router is not a VPN router then buying a new one would result in the same situation as the current one with the PIX. The point is that you have to terminate the VPN tunnel at the same box you want the Internet traffic to go outside. If this box is a router (not a PIX 501, which is limited to v6), there won't be a problem with traffic passing in and out on the same interface.

>About the other way, setting up a proxy server inside the local lan, I
>have setup a pc with proxy server installed in the local lan. But it
>seems that vpn clients cannot access the internet through the proxy
>server. Vpn clients already enabled the proxy server in Internet
>Explorer. Is there anything wrong with my PIX config?

The PIX should be transparent for this, as soon as the ACLs and NAT settings are ok. Can you reach the proxy from the VPN clients? Can you reach the Internet from the proxy? To fulfill your needs, this proxy server has to have its default route set to ROUTER from above and a backwards route to the VPN clients through the PIX.

Regards

fw
.

Follow-Ups:
- Re: Internet access for VPN client
  - From: bbkz

References:
- Internet access for VPN client
  - From: bbkz
- Re: Internet access for VPN client
  - From: Walter Roberson
- Re: Internet access for VPN client
  - From: bbkz
- Re: Internet access for VPN client
  - From: Walter Roberson
- Re: Internet access for VPN client
  - From: Frank Winkler
- Re: Internet access for VPN client
  - From: bbkz

Prev by Date: Re: Pix vpn Site to Site problem
Next by Date: Re: Newbie: REQ: Peer Review: Proper use of a Catalyst 4948
Previous by thread: Re: Internet access for VPN client
Next by thread: Re: Internet access for VPN client
Index(es):
- Date
- Thread

Relevant Pages

Re: [fw-wiz] PIX to Router IPSec
... The most important concept in IPSec VPN implementation is staying focused ... Many PIX users stumble over one of two common issues. ... Even if it is a near duplicate ACL; ... >I'm going to establish a PIX to Router IPSec tunnel between two locations. ...
(Firewall-Wizards)
Re: Dump 2620 config to a 1721
... If I swap out the 2620 router with the 1721 I know from experience that ... PIX and the VPN box will not be able to talk to the 1721 until they are ... I know this is related to the ARP cache. ...
(comp.dcom.sys.cisco)
Re: Dump 2620 config to a 1721
... If I swap out the 2620 router with the 1721 I know from experience that ... PIX and the VPN box will not be able to talk to the 1721 until they are ... I know this is related to the ARP cache. ...
(comp.dcom.sys.cisco)
Re: Dump 2620 config to a 1721
... Internet Router, a PIX 515, and VPN 3005 Concentrator connected to a switch. ... I know this is related to the ARP cache. ...
(comp.dcom.sys.cisco)
Re: Dump 2620 config to a 1721
... If I swap out the 2620 router with the 1721 I know from experience that ... PIX and the VPN box will not be able to talk to the 1721 until they are ... I know this is related to the ARP cache. ...
(comp.dcom.sys.cisco)