Solved

VPN through PIX then through ISA2004

Posted on 2006-07-13
10
557 Views
Last Modified: 2010-03-05
I would like to configure a VPN tunnel inside a VPN tunnel. the facts

our network:
internet-----PIX------ISA2004-------Switch-----internal network,
I've just solved a problem regarding the Cisco remote access vpn client connectiong to ciscoASA5510 so now it works , I get access to pix and I can see now the external Isa2004 netwrok I would like to establish another vpn if I would like to gain access further into internal network , I 've setup isa as a vpn server using pptp and radius, it works perfectly if not using cisco vpn,
but if I connect from internet and use cisco vpn then inistiate pptp connection to isa I will get connected but no traffic is going on, since I can not get dns settings , I can not ping inside network , it seems that cisco vpn tunnel is not allowing me ,
my question is how should I tell cisco to allow trafic through new tunnel?
I tried split tunniling and created an exemption network which will be exempted from the cisco vpn tunnel ,and this way everything works but is this secure in thes respect? or is there other way to make a vpn tunnel inside a tunnel to work?
thanks in advance

Jordi
0
Comment
Question by:jordi67
  • 6
  • 4
10 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17099922
You are overloading the links. If I were you, I would have the VPN between the client and the pix then configure ISA to allow traffic between the internal lan and the vpn pool ip addresses.

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17100066
I would like the users to login to dc, how can I do that by just allowing trafic between the ip pool addresses and internal lan
reaching exchange server and file server?
please let me know if you have an Idea

thanks
Jordi
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17100131
I don't know about the ISA part, assuming that you will configure it to allow the traffic both ways; you can do this on the pix;

1. You can create 2 access-lists to say 'don't nat' when the traffic is flowing through the vpn tunnel.

vpn user--Net0----------PIX----Net1----ISA---Net2

access-list nonat permit ip Net1 <mask> Net0 <mask>
access-list nonat permit ip Net2 <mask> Net0 <mask>

nat (inside) 0 access-list nonat

Done.

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17101038
so to make it clear ,
net0 should be the vpnpool ip address
net1 should be the inside ip of the pix (external to isa)
net2 is the internal network(inside to isa)where dc,exchange and file server lies
is this correct?
if this is correct,
I just have to configure a way to make the vpn users be able to contact my inside dns (behind isa) so they will resolve the dc name and exchange and be able to login to dc, right?
is it enough to assiagn in vpnpolicy the dns and wins to for the inside network so when clients get connected they will get the dns?

I will try these settings and will let you know
thanks alot for your help
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 250 total points
ID: 17101479
Yes, that is all correct but just one comment.

In ISA, you'll have to allow types of Netbios, basically windows services you want to run.

Cheers,
Rajesh
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17101957
So it worked ? Are you happy about the results ?


Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17101974
I would like to thank your for your tips, 100%
I 've decided not to publish DC services cause this will open a hel of ports, which even behind pix I don't trust
I will publish secure imap for outlook and maybe sftp for file service
this way itt will cost me only 2 ports.

thanks again
Best regards
Jordi
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17102014
Yeah that could work as well but it depends solely on the kind of access you want to give them though :-)

Believe me, at some point of time, somebody would like RDP, then Outlook client, then Terminal Services to the server and it might grow on... But it is later though :-)

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17102063
and thats what I'm afraid of :) its a matter of time
I remmember when everyone was happy to get his mails through dialup
and now....

all the best deer friend
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17105484
:-)

Cheers,
Rajesh
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now