Re: VPN Client behind firewall does not work

jbeining · ‎07-12-2005

Hi

I have this customer that needs a PIX firewall to terminate some few VPN clients.

The PIX has a public IP address on the outside and a private address on the inside - the VPN pool uses addresses from the inside network - no need to reach any hosts here.

Behind this is a firewall of some kind, that should allow this single VPN host remote desktop access to a server.

Problem is: When the host with the VPN client is on the Internet with a public IP address, it works fine, but as soon as it gets behind a NAT device, nothing works any more.

I have tried with and without NAT-T, so that is not a solution.

What could be the problem here? It is some kind of NAT problem, but what?

ehirsel · ‎07-12-2005

I want to make sure that I understand the topology correctly. Is this the topology:

vpn client -- pix -- other_fw -- server

where the vpn client connection terminates on the public interface of the pix, the other_fw host is on the inside (or dmz) interface of the pix, and the server is behind this other firewall. Let me know if I described it correctly.

In addition, the pix or other_fw is configured to only allow the vpn clients to run the remote desktop protocol to the server, not any other server or service. Am I correct in understanding that?

If I am correct, then insure that the pix code is running 6.3.3 or higher and that the isakmp nat-traversal global config command is in the pix config. That will tell the pix to perform nat detection for vpn clients behind a nat/pat device.

Let me know if you need any more help.

jbeining · ‎07-12-2005

Hi

You got the setup right.

The PIX is running 6.3.4 and the ISAKMP NAT-TRAVERSAL command is in the config, but still....no luck.

I wonder if the other firewall is doing som NAT'ing and if this could be a problem?

jackko · ‎07-17-2005

just wondering whether the vpn tunnel can't be established at all or the remote pc can't rdp after the vpn tunnel established.