03-27-2011 10:46 AM
Hello, I've come to the experts since i've exhausted every possible idea in my head.
I have a FWSM in my 6509, this firewall is managing three VLANs, one of which holds a file server. As you all know, FWSM do not support VPN like the ASAs and PIXs do.
I have been trying to add remote access to this file server LAN all week. The only VPN device i have is a 2801 router.
first layout
the idea was that my VPN address pool would be NAT'd back to the FWSM on it's VLAN. since the FWSM was managing this VLAN and recognized the source IP of the translated address pool, i would have access to my precious file server. no luck.
second layout
this idea was to have more of a 'inside' and 'outside' interface on the VPN router. this too did not work, having used every trick in the book, i could still not ping anything on the FWSM LAN while VPN'd in the network (aside from the LAN interface on my router)
traceroute was showing that the all routes were headed out fa 0/1 (default route) and all to my FWSM died. i really don't think my address pool is being NAT'd, though my route map statement applied to the NAT policy is permitting my VPN address pool.
I am new to VPN technology, one of those things that happened to land on my lap. Can someone give a suggestion as to how this layout could work? there are no good VPN Remote access walkthroughs for a situation like this (2801 allowing access to a FWSM controlled LAN)
Thanks, and have a good weekend!
03-27-2011 01:06 PM
Frank,
To be honest it sound like you were facing routing issues rather than anythign VPN specific.
Typical solution is to advertise remote access prefixes into whatever RP you have. Ie. the FWSM needs to know where to route the RA IPsec users.
I also wouldn't try traceroute too much on FWSM ... by default at least ... FWSM doesn't decrease TTL by default (you'll find lots of links saying how this can be addressed).
As a note I'm not a fan of traffic having to traverse FWSM too many times for single flow so I would not put VPN router behind FWSM.
On the other hand FWSM will provide "protection" to VPN services.
So you have situation like this
Internet
|
|
|
FWSM ------- VPN router
|
|
|
Internal resources
You need static NAT on FWSM for VPN service (udp/4500 and udp/500).
VPN router (best use DVTI solutioN) - redistributes static routes to RP.
FWSM - add additional NAT statments as needed for traffic from VPN going out to internet or internal resources.
Marcin
03-27-2011 02:05 PM
thanks for the reply, i'll go back and confirm my routes in the FWSM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide