07-16-2007 06:56 AM - edited 03-11-2019 03:45 AM
We have many users that connect to a remote VPN. They use a local client on Windows XP, but the only way we can get them to connect is by giving each user a public external IP address and NAT it to their private internal address and use the GRE IP protocal, we have no more public address left now. Is there a way where we can allow all users to just use one external IP or a pool of IP's to NAT? We only have one or two users (max) that connect to this VPN?
Thanks
07-16-2007 07:09 AM
If I understand you correct, you want to let outbound PPTP traffic pass through your firewall without using 1:1 NAT as you are currently doing, but rather use a single public IP (PAT)?
I really depends on what firewall you are using, but if you have a PIX firewall running OS 6.3 or later, you can use the command 'fixup protocol pptp 1723'.
This will let PPTP traffic traverse the PIX when configured for PAT, performing stateful PPTP packet inspection in the process.
07-16-2007 07:42 AM
It's a Pix with that version, how can I do this in the ADSM?
07-16-2007 07:50 AM
Try Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab and enable PPTP inspection.
07-16-2007 07:51 AM
That's it? i wish I knew about this earlier :) So what public address will all users use? plus and downtime on the Pix when I enable this?
07-16-2007 07:58 AM
What address they will use depends on your NAT/PAT configurations. You can let them use the outside interface address with PAT if you want.
There should not be any downtime (unless you also change NAT configuration and clear the translation table).
07-16-2007 01:32 PM
ok, once I tick that "PPTP" box what should I do for the NAT/PAT config, explained in an idiots guide please :) as this is new to me.
Many thanks inadvance for you help
07-16-2007 01:52 PM
You said you are using static NAT for computers that connect through vpn, and I guess that other computers are accessing internet through the same firewall using dynamic NAT?
Then you only have to remove the statics, and all computers should have the same NAT policy applied.
To configure dynamic NAT the easiest way is to use the interface address:
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
Replace 10.0.0.0 with whatever network you are using internally.
This will translate all internal source addresses to the outside interface address.
Have a look here for some ideas of how to control NAT with ASDM:
07-16-2007 11:15 PM
Would I have to still create a security policy for example allow 10.0.0.0 255.0.0.0 on PPTP and GRE?
07-17-2007 12:32 AM
If you have an outbound ACL you should make sure that PPTP control traffic is allowed out (TCP port 1723). The inspection engine dynamically creates the GRE connections and translations necessary to permit PPTP traffic.
07-17-2007 02:41 AM
I noticed that there is no NAT rules on the Outside interface do I need to do this for all our VLAN/Subnets? of leabe this all blank?
07-17-2007 02:52 AM
The source network is on your inside interface, and you can specify every subnet that you use, or just use 0.0.0.0 mask 0.0.0.0 to translate every subnet.
Then you need to add a dynamic pool on the outside interface. It can be a range of addresses or the ouside interface address.
Easiest way to do it is, of course, to just enter these two lines:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
07-17-2007 02:55 AM
Will there be any downtime when I apply this?
07-17-2007 02:57 AM
It depends on your existing NAT configuration. Can you attach the configuration?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide