krash092097
asked on
VPN Client - RAS - VPN-PIX Route Mapping
This is a classic "VPN Gateway behind the PIX" question...
Can NAT/PAT/Static Routes be used on a Trusted PIX Port
to provide Web Access to
RAS/VPN Client to
VPN3000 Gateway to
PIX Trusted Port
The VPN Gateway is positioned on a subnet behind the PIX.
URL references are appreciated. Thanks.
Tim Weil - CCNP
Can NAT/PAT/Static Routes be used on a Trusted PIX Port
to provide Web Access to
RAS/VPN Client to
VPN3000 Gateway to
PIX Trusted Port
The VPN Gateway is positioned on a subnet behind the PIX.
URL references are appreciated. Thanks.
Tim Weil - CCNP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well, now this certainly complicates matters to extreme. May I ask why all these gyrations?
>Client laptop establishes RAS connection (behind the PIX?)- IP#1
Do you mean dialup, or PPTP?
>Client authenticates at VPN - IP#2
What type VPN? What is the server? What authentication mechanism?
>Client requests Network services thru PIX trusted
DMZ Port - IP#3
Authorization for network services should not require another IP address. What method are you using for the authorization? TACACS? Radius?
We need to keep this in the open forum as this is a collaborative group. If I miss something, some other experts my jump in to my rescue.
>Client laptop establishes RAS connection (behind the PIX?)- IP#1
Do you mean dialup, or PPTP?
>Client authenticates at VPN - IP#2
What type VPN? What is the server? What authentication mechanism?
>Client requests Network services thru PIX trusted
DMZ Port - IP#3
Authorization for network services should not require another IP address. What method are you using for the authorization? TACACS? Radius?
We need to keep this in the open forum as this is a collaborative group. If I miss something, some other experts my jump in to my rescue.
G'day, krash, there has not been any activity on this question in 12 days.
Do you still need assistance, need more information, or have you solved your problem? Can you close
out this question?
Do you still need assistance, need more information, or have you solved your problem? Can you close
out this question?
ASKER
Thanks.
Issue closed.
Static route across the PIX seem to fix the problem.
krash
Issue closed.
Static route across the PIX seem to fix the problem.
krash
ASKER
ACL for Inbound permissions -- Got it
Enabled service for esp, isakmp, udp port 10000 - Got it
Problem we are trying to solve -
1. VPN tunnel is established behind PIX (no tunnelling
thru Untrusted (public IP/static port) required.
2. IPSec tunnel built via RAS/VPN Gateway behind PIX
3. Access to Network services thru trusted port on PIX
requires multiple route translations
4. Example -
Client laptop establishes RAS connection - IP#1
Client authenticates at VPN - IP#2
Client requests Network services thru PIX trusted
DMZ Port - IP#3
5 What address would a Network Service query respond
to? How would PIX map HTTP response request to
VPN tunnel address (IP#2)?.
Can I email you offline?
krash