Solved

VPN through PIX then through ISA2004

Posted on 2006-07-13
10
563 Views
Last Modified: 2010-03-05
I would like to configure a VPN tunnel inside a VPN tunnel. the facts

our network:
internet-----PIX------ISA2004-------Switch-----internal network,
I've just solved a problem regarding the Cisco remote access vpn client connectiong to ciscoASA5510 so now it works , I get access to pix and I can see now the external Isa2004 netwrok I would like to establish another vpn if I would like to gain access further into internal network , I 've setup isa as a vpn server using pptp and radius, it works perfectly if not using cisco vpn,
but if I connect from internet and use cisco vpn then inistiate pptp connection to isa I will get connected but no traffic is going on, since I can not get dns settings , I can not ping inside network , it seems that cisco vpn tunnel is not allowing me ,
my question is how should I tell cisco to allow trafic through new tunnel?
I tried split tunniling and created an exemption network which will be exempted from the cisco vpn tunnel ,and this way everything works but is this secure in thes respect? or is there other way to make a vpn tunnel inside a tunnel to work?
thanks in advance

Jordi
0
Comment
Question by:jordi67
  • 6
  • 4
10 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17099922
You are overloading the links. If I were you, I would have the VPN between the client and the pix then configure ISA to allow traffic between the internal lan and the vpn pool ip addresses.

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17100066
I would like the users to login to dc, how can I do that by just allowing trafic between the ip pool addresses and internal lan
reaching exchange server and file server?
please let me know if you have an Idea

thanks
Jordi
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17100131
I don't know about the ISA part, assuming that you will configure it to allow the traffic both ways; you can do this on the pix;

1. You can create 2 access-lists to say 'don't nat' when the traffic is flowing through the vpn tunnel.

vpn user--Net0----------PIX----Net1----ISA---Net2

access-list nonat permit ip Net1 <mask> Net0 <mask>
access-list nonat permit ip Net2 <mask> Net0 <mask>

nat (inside) 0 access-list nonat

Done.

Cheers,
Rajesh
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jordi67
ID: 17101038
so to make it clear ,
net0 should be the vpnpool ip address
net1 should be the inside ip of the pix (external to isa)
net2 is the internal network(inside to isa)where dc,exchange and file server lies
is this correct?
if this is correct,
I just have to configure a way to make the vpn users be able to contact my inside dns (behind isa) so they will resolve the dc name and exchange and be able to login to dc, right?
is it enough to assiagn in vpnpolicy the dns and wins to for the inside network so when clients get connected they will get the dns?

I will try these settings and will let you know
thanks alot for your help
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 250 total points
ID: 17101479
Yes, that is all correct but just one comment.

In ISA, you'll have to allow types of Netbios, basically windows services you want to run.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17101957
So it worked ? Are you happy about the results ?


Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17101974
I would like to thank your for your tips, 100%
I 've decided not to publish DC services cause this will open a hel of ports, which even behind pix I don't trust
I will publish secure imap for outlook and maybe sftp for file service
this way itt will cost me only 2 ports.

thanks again
Best regards
Jordi
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17102014
Yeah that could work as well but it depends solely on the kind of access you want to give them though :-)

Believe me, at some point of time, somebody would like RDP, then Outlook client, then Terminal Services to the server and it might grow on... But it is later though :-)

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17102063
and thats what I'm afraid of :) its a matter of time
I remmember when everyone was happy to get his mails through dialup
and now....

all the best deer friend
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17105484
:-)

Cheers,
Rajesh
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
OnPage: Incident management and secure messaging on your smartphone
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question