Solved: 3 Interfaces and PIX Routing

kazahmed · ‎10-10-2003

Hello Everyone,

I have a PIX 515E configured with 3 interfaces, outside, inside and a Tunnel interface for my VPN clients. VPN clients will not only be accessing inside network, I have to route them to the other networks through outside interface. As you cannot route IPSEC packets from the same interface its entering thats why I used a seperate interface for VPN clients. Default gateway is set on outside interface. Now the problem is that when vpn users try to connect from Internet, Tunnel interface is getting traffic but not sending traffic back as default route is set to outside interface.

Tunnel interface is 192.168.32.253 and If I connect from a pc with ip address of 192.168.32.50, its works perfectly fine and also routing traffic to other networks through outside as PIX knows where to route packets. Can someone please help me to resolve this routing issue in PIX.

inside is 192.168.33.254 security 0

outside is 192.168.34.254 security 100

Tunnel is 192.168.32.253 security 90

nat (inside) 0 access-list 110

access-list 110 permit ip 192.168.33.0 255.255.255.0 any

Thanks in advance.

Kaz

ddawson · ‎10-13-2003

Unless you know the networks the clients will be connecting from there may not be a fix, since what it sounds like you need is two default routes, one for encrypted traffic back to the clients and one for unencrypted traffic to the Internet. You might be able to create a NAT pool in the router that provides Internet access for the Tunnel interface so that all incoming client traffic is NATed in that router to an address from a pool. This would make all the remote clients look like they were coming from one subnet so you wouldn't need a default route out the Tunnel interface in the PIX. You'll probably need to make the Internet interface of that router an "ip nat inside" interface because I don't think IOS supports dynamic NAT pools with "ip nat outside source". This will seem backwards, but I think it would work. You'll probably also want to use an access-list or route-map with the pool so the NAT only applies to traffic destined to the PIX Tunnel interface (i.e. VPN traffic), since I'm assuming the same router provides Internet connectivity for both the Outside and Tunnel interfaces of the PIX.

Good luck!

View solution in original post

mostiguy · ‎10-11-2003

You will want a

nat (0) access-list 111

access-list 111 permit ip 192.168.32.0 255.255.255.0 any

most likely to disable NAT. I think what is happening is that data comes in the tunnel unNATed, but the reply traffic is getting NATed, and that is breaking connectivity (imagine host 1.2.3.4 sends a request to 5.6.7.8, but gets a reply to the right port number, but from the wrong ip address because of NAT)

ddawson · ‎10-13-2003

Unless you know the networks the clients will be connecting from there may not be a fix, since what it sounds like you need is two default routes, one for encrypted traffic back to the clients and one for unencrypted traffic to the Internet. You might be able to create a NAT pool in the router that provides Internet access for the Tunnel interface so that all incoming client traffic is NATed in that router to an address from a pool. This would make all the remote clients look like they were coming from one subnet so you wouldn't need a default route out the Tunnel interface in the PIX. You'll probably need to make the Internet interface of that router an "ip nat inside" interface because I don't think IOS supports dynamic NAT pools with "ip nat outside source". This will seem backwards, but I think it would work. You'll probably also want to use an access-list or route-map with the pool so the NAT only applies to traffic destined to the PIX Tunnel interface (i.e. VPN traffic), since I'm assuming the same router provides Internet connectivity for both the Outside and Tunnel interfaces of the PIX.

Good luck!