onsite_tech
asked on
Cisco VPN Routing Question
is there a way i can set up a cisco pix 501 so that any traffic bound for the internet goes out the normal connection, any connections going to 10.10.5.x goes down the VPN tunnel, but connections going to 10.10.5.2 on port 3389 go through the internet instead of the vpn tunnel? i think you can do all of this on a router but i'm not sure about a PIX.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ok, first set the default rout to go out onto the internet.
Next, you need to know the address of your gateway to the internet, let's call that g1.g2.g3.g4
And you need to know the IP address of the entry to your VPN tunnel, let's call that t1.t2.t3.t4
Your routing would look like
IP ROUTE 0.0.0.0 g1.g2.g3.g4 which is the default route
IP ROUTE 10.10.5.0 t1.t2.t3.t4
IP ROUTE 10.10.5.2 g1.g2.g3.g4
To route only port 3389, i would need my notes. I recall a syntax that I used with the setup of a NAT like:
IP NAT inside source static tcp 10.10.5.2 3389 g1.g2.g3.g4 3389 extendable
Try by using the syntax composer in IOS (tab key) if you can have the same syntax on IP ROUTE instead of IP NAT.
On the other hand.. would it matter to you if that traffic on port 3389 went thru a NAT translation ?
If you did it for incoming traffic, just imagine what you would type if you owned the IP address 10.10.5.2 and if it were standing in the room next to you. Maybe you have to send traffic onto the gateway address that (if seated at the 10.10.5.2 computer) you would type as default gateway out. (and use the public side of that machine)
This is as far as I get without books,
I hope it helps you.
Marc
Next, you need to know the address of your gateway to the internet, let's call that g1.g2.g3.g4
And you need to know the IP address of the entry to your VPN tunnel, let's call that t1.t2.t3.t4
Your routing would look like
IP ROUTE 0.0.0.0 g1.g2.g3.g4 which is the default route
IP ROUTE 10.10.5.0 t1.t2.t3.t4
IP ROUTE 10.10.5.2 g1.g2.g3.g4
To route only port 3389, i would need my notes. I recall a syntax that I used with the setup of a NAT like:
IP NAT inside source static tcp 10.10.5.2 3389 g1.g2.g3.g4 3389 extendable
Try by using the syntax composer in IOS (tab key) if you can have the same syntax on IP ROUTE instead of IP NAT.
On the other hand.. would it matter to you if that traffic on port 3389 went thru a NAT translation ?
If you did it for incoming traffic, just imagine what you would type if you owned the IP address 10.10.5.2 and if it were standing in the room next to you. Maybe you have to send traffic onto the gateway address that (if seated at the 10.10.5.2 computer) you would type as default gateway out. (and use the public side of that machine)
This is as far as I get without books,
I hope it helps you.
Marc
ASKER
ahhh, i'll look and see if that works correctly.
Also, it turns out that the other end of this tunnel is not NAT'ed at all (the 10.10.5.x address is really a public routeable address range with the remote PIX doing no NAT'ing). i'm guessing that that wont affect anything?
Also, it turns out that the other end of this tunnel is not NAT'ed at all (the 10.10.5.x address is really a public routeable address range with the remote PIX doing no NAT'ing). i'm guessing that that wont affect anything?
As a matter of fact, it makes things a lot easier if the other side is not running NAT !
Marc
Marc
ASKER