VPN Client to Pix, Then Overload NAT Pool Address

shiprider · ‎03-22-2007

Hi Everyone:

When a remote access vpn user connects into my pix, I want to allow said user to traverse to a router (through another interface on the firewall) but hide the pool addresses. Is this possible?

What if the user came into me via a site-to-site tunnel, could this work as well?

My reason is simplicity (and security), I don't want the router to see users' LAN address (in case of site-to-site) or assigned pool address. My intention is to overload to the outgoing interface's address. I'm using pix 6.

Thanks in advance.

carenas123 · ‎03-28-2007

Cisco router have feature call, VPN pass-trough, that might help to solve your issue.

In order to allow the VPN traffic to pass-through the router, configure an access list that allows these protocols and ports:

Encapsulating Security Payload (ESP) protocol (IP Protocol 50) or Authentication Header (AH) protocol (IP Protocol 51) between the user and the VPN server

User Datagram Protocol (UDP) port 500

UDP port 4500

Refer to this access-list configuration example:

access-list 101 permit esp any anyaccess-list 101 permit udp any any eq 4500access-list 101 permit udp any any eq 500

Once the access-lists are created, bind these to the interface based on the direction, either inbound or outbound, with this command:

ip access-group 101 {in | out}