jordi67
asked on
VPN through PIX then through ISA2004
I would like to configure a VPN tunnel inside a VPN tunnel. the facts
our network:
internet-----PIX------ISA2
I've just solved a problem regarding the Cisco remote access vpn client connectiong to ciscoASA5510 so now it works , I get access to pix and I can see now the external Isa2004 netwrok I would like to establish another vpn if I would like to gain access further into internal network , I 've setup isa as a vpn server using pptp and radius, it works perfectly if not using cisco vpn,
but if I connect from internet and use cisco vpn then inistiate pptp connection to isa I will get connected but no traffic is going on, since I can not get dns settings , I can not ping inside network , it seems that cisco vpn tunnel is not allowing me ,
my question is how should I tell cisco to allow trafic through new tunnel?
I tried split tunniling and created an exemption network which will be exempted from the cisco vpn tunnel ,and this way everything works but is this secure in thes respect? or is there other way to make a vpn tunnel inside a tunnel to work?
thanks in advance
Jordi
our network:
internet-----PIX------ISA2
I've just solved a problem regarding the Cisco remote access vpn client connectiong to ciscoASA5510 so now it works , I get access to pix and I can see now the external Isa2004 netwrok I would like to establish another vpn if I would like to gain access further into internal network , I 've setup isa as a vpn server using pptp and radius, it works perfectly if not using cisco vpn,
but if I connect from internet and use cisco vpn then inistiate pptp connection to isa I will get connected but no traffic is going on, since I can not get dns settings , I can not ping inside network , it seems that cisco vpn tunnel is not allowing me ,
my question is how should I tell cisco to allow trafic through new tunnel?
I tried split tunniling and created an exemption network which will be exempted from the cisco vpn tunnel ,and this way everything works but is this secure in thes respect? or is there other way to make a vpn tunnel inside a tunnel to work?
thanks in advance
Jordi
ASKER
I would like the users to login to dc, how can I do that by just allowing trafic between the ip pool addresses and internal lan
reaching exchange server and file server?
please let me know if you have an Idea
thanks
Jordi
reaching exchange server and file server?
please let me know if you have an Idea
thanks
Jordi
I don't know about the ISA part, assuming that you will configure it to allow the traffic both ways; you can do this on the pix;
1. You can create 2 access-lists to say 'don't nat' when the traffic is flowing through the vpn tunnel.
vpn user--Net0----------PIX---
access-list nonat permit ip Net1 <mask> Net0 <mask>
access-list nonat permit ip Net2 <mask> Net0 <mask>
nat (inside) 0 access-list nonat
Done.
Cheers,
Rajesh
1. You can create 2 access-lists to say 'don't nat' when the traffic is flowing through the vpn tunnel.
vpn user--Net0----------PIX---
access-list nonat permit ip Net1 <mask> Net0 <mask>
access-list nonat permit ip Net2 <mask> Net0 <mask>
nat (inside) 0 access-list nonat
Done.
Cheers,
Rajesh
ASKER
so to make it clear ,
net0 should be the vpnpool ip address
net1 should be the inside ip of the pix (external to isa)
net2 is the internal network(inside to isa)where dc,exchange and file server lies
is this correct?
if this is correct,
I just have to configure a way to make the vpn users be able to contact my inside dns (behind isa) so they will resolve the dc name and exchange and be able to login to dc, right?
is it enough to assiagn in vpnpolicy the dns and wins to for the inside network so when clients get connected they will get the dns?
I will try these settings and will let you know
thanks alot for your help
net0 should be the vpnpool ip address
net1 should be the inside ip of the pix (external to isa)
net2 is the internal network(inside to isa)where dc,exchange and file server lies
is this correct?
if this is correct,
I just have to configure a way to make the vpn users be able to contact my inside dns (behind isa) so they will resolve the dc name and exchange and be able to login to dc, right?
is it enough to assiagn in vpnpolicy the dns and wins to for the inside network so when clients get connected they will get the dns?
I will try these settings and will let you know
thanks alot for your help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So it worked ? Are you happy about the results ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
I would like to thank your for your tips, 100%
I 've decided not to publish DC services cause this will open a hel of ports, which even behind pix I don't trust
I will publish secure imap for outlook and maybe sftp for file service
this way itt will cost me only 2 ports.
thanks again
Best regards
Jordi
I 've decided not to publish DC services cause this will open a hel of ports, which even behind pix I don't trust
I will publish secure imap for outlook and maybe sftp for file service
this way itt will cost me only 2 ports.
thanks again
Best regards
Jordi
Yeah that could work as well but it depends solely on the kind of access you want to give them though :-)
Believe me, at some point of time, somebody would like RDP, then Outlook client, then Terminal Services to the server and it might grow on... But it is later though :-)
Cheers,
Rajesh
Believe me, at some point of time, somebody would like RDP, then Outlook client, then Terminal Services to the server and it might grow on... But it is later though :-)
Cheers,
Rajesh
ASKER
and thats what I'm afraid of :) its a matter of time
I remmember when everyone was happy to get his mails through dialup
and now....
all the best deer friend
I remmember when everyone was happy to get his mails through dialup
and now....
all the best deer friend
:-)
Cheers,
Rajesh
Cheers,
Rajesh
Cheers,
Rajesh