?
Solved

PIX 501:Permit traffic through VPN connection over PIX501 Nat connection

Posted on 2006-05-30
5
Medium Priority
?
435 Views
Last Modified: 2013-11-16
Okay. I'm going to try to lay what I'm currently doing and then ask at the end what I'm wanting this configuration to do.

I have a PIX 501 which is the primary router for my local network. This PIX hosts the DHCP numbers give internet access to all the machines on the network over NAT.  This PIX also acts as a VPN Client to my corporate VPN server using easy VPN.  This allows the local network to access network resources of my corporate office locally.  This is not a SITE to SITE connection but a NAT configuration. The PIX is assigned IP address 10.10.10.100 for its VPN connection's IP number. All the computers on the local network look like they are coming from 10.10.10.100 on the corporate network.  

What I want to do is make it so one computer (lets say ip 10.10.10.200) can access the web server over my VPN connection at 10.10.10.100:80 which is really IP address 192.168.0.2 on my local network.  I don't want to give all the ports of 192.168.0.2 to answer to 10.10.10.100. Just port 80.  And I only want it to be from a computer coming from ip address 10.10.10.200 and not the whole 10.10.10.x network.

How would I do this? Would I use a static? Or an access-list? Or both? When I tried to do a static I realized that there wasn't a name for the VPN connection. So would I refer to it as outside?  Examples please.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  ******** encrypted
passwd  ******** encrypted
hostname router
domain-name  ********
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq smtp
access-list inbound permit tcp any any eq pop3
access-list inbound permit tcp any any eq imap4
access-list inbound permit tcp any any eq 16080
access-list inbound permit tcp any any eq ftp
access-list inbound permit tcp any any eq 5900
access-list inbound permit tcp any any eq telnet
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 192.168.1.2 imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 192.168.1.2 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 16080 192.168.1.3 16080 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.2 16080 netmask 255.255.255.255 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.20-192.168.1.30 inside
dhcpd dns  ********
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
vpnclient server  ********
vpnclient mode client-mode
vpnclient vpngroup  ******** password ********
vpnclient enable
terminal width 80

0
Comment
Question by:surbahns
3 Comments
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16795247
>>>>What I want to do is make it so one computer (lets say ip 10.10.10.200) can access the web server over my VPN connection at 10.10.10.100:80 which is really IP address 192.168.0.2 on my local network.  I don't want to give all the ports of 192.168.0.2 to answer to 10.10.10.100. Just port 80.  And I only want it to be from a computer coming from ip address 10.10.10.200 and not the whole 10.10.10.x network.


-- Im sorry but I didn't quite understand what you are trying to accomplish. Can you please rephrase it?  In your example, where is 10.10.10.200 located?
0
 
LVL 5

Accepted Solution

by:
renill earned 1000 total points
ID: 16796300
static (inside,outside) tcp interface www 192.168.0.2 80 netmask 255.255.255.255 0 0

add this entry and try out
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1000 total points
ID: 16797922
>All the computers on the local network look like they are coming from 10.10.10.100 on the corporate network.  
 Then given your posted config, your outside interface must be 10.10.10.100

>What I want to do is make it so one computer (lets say ip 10.10.10.200) can access the web server over my VPN
OK, take renill's example to set a static port xlate, then add an access-list

access-list outside_in permit tcp host 10.10.10.200 interface outside eq 80
static (inside,outside) tcp interface www 192.168.0.2 80 netmask 255.255.255.255
access-group outside_in in interface outside
 
>static (inside,outside) tcp interface www 192.168.1.2 16080 netmask 255.255.255.255 0 0
Oh, but wait - - - you already have interface port 80 mapped to an internal host port 16080
You will have to remove this static xlate.

>access-list inbound permit tcp any any eq www
Since you already allow "anyone" to access port 80, the you have to restrict this acl
access-list inbound permit tcp host 10.10.10.200 interface outside eq www
access-list inbound deny tcp 10.10.10.0 255.255.255.0 interface outside eq www
access-list inbound permit tcp any any eq www
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month14 days, 15 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question