PIX 501: NAT VPN Clients to Inside?
- From: Aaron <Aaron.Smith@xxxxxxxx>
- Date: Thu, 24 Apr 2008 08:23:10 -0700 (PDT)
Ok. What I want to do seems quite simple, but whatever I just can't
quite get the pieces to mesh. I have a pix 501 that I'm trying to
configure to provide VPN access to our local network for clients
running the Cisco VPN client 4.x.
Our network is seperated into VLANS, but uses public IP's for most
machines. I'll use fake numbers for my examples though. The Outside
interface has a public IP of 172.46.32.100. This is connected to our
DMZ VLAN. The "Inside" interface has a public IP of 172.46.24.100,
which is connected to a separate VLAN.
What I want to do is have the VPN clients connect to the outside
interface, get a private IP (from 192.168.2.0/24) and then be NAT'd
(PAT) to the inside interface IP of 172.46.24.100. That way, the
routing meshes with everything because all the VPN client traffic
would appear to come from the interface IP of the pix. In all the
various permutations of configurations I've done, it ends up with the
client computer connecting, getting a 192.168 address, and then it
merely passes through the IP un-NAT'd (i.e., the servers on the local
network see connections coming in from 192.168.2.x). I can make this
work by adding static routes to direct traffic destined for
192.168.2.x to the PIX, but I'd rather have it just NAT everything to
make things cleaner.
.
- Follow-Ups:
- Re: PIX 501: NAT VPN Clients to Inside?
- From: Aaron
- Re: PIX 501: NAT VPN Clients to Inside?
- From: Aaron
- Re: PIX 501: NAT VPN Clients to Inside?
- Prev by Date: Re: reverse route injection maintenance
- Next by Date: Re: PIX 501: NAT VPN Clients to Inside?
- Previous by thread: DHCP on DMZ interface
- Next by thread: Re: PIX 501: NAT VPN Clients to Inside?
- Index(es):
Relevant Pages
|
