10-10-2003 09:44 AM - edited 02-20-2020 11:02 PM
Hello Everyone,
I have a PIX 515E configured with 3 interfaces, outside, inside and a Tunnel interface for my VPN clients. VPN clients will not only be accessing inside network, I have to route them to the other networks through outside interface. As you cannot route IPSEC packets from the same interface its entering thats why I used a seperate interface for VPN clients. Default gateway is set on outside interface. Now the problem is that when vpn users try to connect from Internet, Tunnel interface is getting traffic but not sending traffic back as default route is set to outside interface.
Tunnel interface is 192.168.32.253 and If I connect from a pc with ip address of 192.168.32.50, its works perfectly fine and also routing traffic to other networks through outside as PIX knows where to route packets. Can someone please help me to resolve this routing issue in PIX.
inside is 192.168.33.254 security 0
outside is 192.168.34.254 security 100
Tunnel is 192.168.32.253 security 90
nat (inside) 0 access-list 110
access-list 110 permit ip 192.168.33.0 255.255.255.0 any
Thanks in advance.
Kaz
Solved! Go to Solution.
10-13-2003 09:43 AM
Unless you know the networks the clients will be connecting from there may not be a fix, since what it sounds like you need is two default routes, one for encrypted traffic back to the clients and one for unencrypted traffic to the Internet. You might be able to create a NAT pool in the router that provides Internet access for the Tunnel interface so that all incoming client traffic is NATed in that router to an address from a pool. This would make all the remote clients look like they were coming from one subnet so you wouldn't need a default route out the Tunnel interface in the PIX. You'll probably need to make the Internet interface of that router an "ip nat inside" interface because I don't think IOS supports dynamic NAT pools with "ip nat outside source". This will seem backwards, but I think it would work. You'll probably also want to use an access-list or route-map with the pool so the NAT only applies to traffic destined to the PIX Tunnel interface (i.e. VPN traffic), since I'm assuming the same router provides Internet connectivity for both the Outside and Tunnel interfaces of the PIX.
Good luck!
10-11-2003 06:10 AM
You will want a
nat (0) access-list 111
access-list 111 permit ip 192.168.32.0 255.255.255.0 any
most likely to disable NAT. I think what is happening is that data comes in the tunnel unNATed, but the reply traffic is getting NATed, and that is breaking connectivity (imagine host 1.2.3.4 sends a request to 5.6.7.8, but gets a reply to the right port number, but from the wrong ip address because of NAT)
10-13-2003 09:43 AM
Unless you know the networks the clients will be connecting from there may not be a fix, since what it sounds like you need is two default routes, one for encrypted traffic back to the clients and one for unencrypted traffic to the Internet. You might be able to create a NAT pool in the router that provides Internet access for the Tunnel interface so that all incoming client traffic is NATed in that router to an address from a pool. This would make all the remote clients look like they were coming from one subnet so you wouldn't need a default route out the Tunnel interface in the PIX. You'll probably need to make the Internet interface of that router an "ip nat inside" interface because I don't think IOS supports dynamic NAT pools with "ip nat outside source". This will seem backwards, but I think it would work. You'll probably also want to use an access-list or route-map with the pool so the NAT only applies to traffic destined to the PIX Tunnel interface (i.e. VPN traffic), since I'm assuming the same router provides Internet connectivity for both the Outside and Tunnel interfaces of the PIX.
Good luck!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide