Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


VPN Client - RAS - VPN-PIX Route Mapping

Posted on 2003-02-26
Medium Priority
Last Modified: 2013-11-16
This is a classic "VPN Gateway behind the PIX" question...

Can NAT/PAT/Static Routes be used on a Trusted PIX Port
to provide Web Access to

RAS/VPN Client to
VPN3000 Gateway to
PIX Trusted Port

The VPN Gateway is positioned on a subnet behind the PIX.
URL references are appreciated. Thanks.

Tim Weil - CCNP
Question by:krash092097
  • 3
  • 2
LVL 79

Accepted Solution

lrmoore earned 300 total points
ID: 8030639
Yes, absolutely.

I don't know of any particular url that provides specific configurations, but just put the VPN300x public on a DMZ interface, create a static nat map to a public ip for it, and create an access list to permit inbound from any to esp, isakmp, and udp port 10000

If you have specific questions or get stumped at any particular point, I can help. I have actually done this for multiple clients.

Author Comment

ID: 8032836
DMZ interface with public IP - Got it
ACL for Inbound permissions -- Got it
Enabled service for esp, isakmp, udp port 10000 - Got it

Problem we are trying to solve -

   1. VPN tunnel is established behind PIX (no tunnelling
      thru Untrusted (public IP/static port) required.

   2. IPSec tunnel built via RAS/VPN Gateway behind PIX

   3. Access to Network services thru trusted port on PIX
      requires multiple route translations

   4. Example -  
        Client laptop establishes RAS connection - IP#1
        Client authenticates at VPN - IP#2  
        Client requests Network services thru PIX trusted
        DMZ Port - IP#3

   5  What address would a Network Service query respond
      to?  How would PIX map HTTP response request to
      VPN tunnel address (IP#2)?.  

Can I email you offline?
LVL 79

Expert Comment

ID: 8033372
Well, now this certainly complicates matters to extreme. May I ask why all these gyrations?

>Client laptop establishes RAS connection (behind the PIX?)- IP#1
Do you mean dialup, or PPTP?

>Client authenticates at VPN - IP#2
What type VPN? What is the server? What authentication mechanism?

>Client requests Network services thru PIX trusted
       DMZ Port - IP#3
Authorization for network services should not require another IP address. What method are you using for the authorization? TACACS? Radius?

We need to keep this in the open forum as this is a collaborative group. If I miss something, some other experts my jump in to my rescue.

LVL 79

Expert Comment

ID: 8112439
G'day, krash, there has not been any activity on this question in 12 days.
Do you still need assistance, need more information, or have you solved your problem? Can you close
out this question?

Author Comment

ID: 8119966
Issue closed.
Static route across the PIX seem to fix the problem.


Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month12 days, 3 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question