VPN through PIX then through ISA2004

I would like to configure a VPN tunnel inside a VPN tunnel. the facts

our network:
internet-----PIX------ISA2004-------Switch-----internal network,
I've just solved a problem regarding the Cisco remote access vpn client connectiong to ciscoASA5510 so now it works , I get access to pix and I can see now the external Isa2004 netwrok I would like to establish another vpn if I would like to gain access further into internal network , I 've setup isa as a vpn server using pptp and radius, it works perfectly if not using cisco vpn,
but if I connect from internet and use cisco vpn then inistiate pptp connection to isa I will get connected but no traffic is going on, since I can not get dns settings , I can not ping inside network , it seems that cisco vpn tunnel is not allowing me ,
my question is how should I tell cisco to allow trafic through new tunnel?
I tried split tunniling and created an exemption network which will be exempted from the cisco vpn tunnel ,and this way everything works but is this secure in thes respect? or is there other way to make a vpn tunnel inside a tunnel to work?
thanks in advance

Jordi
jordi67Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
rsivanandanConnect With a Mentor Commented:
Yes, that is all correct but just one comment.

In ISA, you'll have to allow types of Netbios, basically windows services you want to run.

Cheers,
Rajesh
0
 
rsivanandanCommented:
You are overloading the links. If I were you, I would have the VPN between the client and the pix then configure ISA to allow traffic between the internal lan and the vpn pool ip addresses.

Cheers,
Rajesh
0
 
jordi67Author Commented:
I would like the users to login to dc, how can I do that by just allowing trafic between the ip pool addresses and internal lan
reaching exchange server and file server?
please let me know if you have an Idea

thanks
Jordi
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
rsivanandanCommented:
I don't know about the ISA part, assuming that you will configure it to allow the traffic both ways; you can do this on the pix;

1. You can create 2 access-lists to say 'don't nat' when the traffic is flowing through the vpn tunnel.

vpn user--Net0----------PIX----Net1----ISA---Net2

access-list nonat permit ip Net1 <mask> Net0 <mask>
access-list nonat permit ip Net2 <mask> Net0 <mask>

nat (inside) 0 access-list nonat

Done.

Cheers,
Rajesh
0
 
jordi67Author Commented:
so to make it clear ,
net0 should be the vpnpool ip address
net1 should be the inside ip of the pix (external to isa)
net2 is the internal network(inside to isa)where dc,exchange and file server lies
is this correct?
if this is correct,
I just have to configure a way to make the vpn users be able to contact my inside dns (behind isa) so they will resolve the dc name and exchange and be able to login to dc, right?
is it enough to assiagn in vpnpolicy the dns and wins to for the inside network so when clients get connected they will get the dns?

I will try these settings and will let you know
thanks alot for your help
0
 
rsivanandanCommented:
So it worked ? Are you happy about the results ?


Cheers,
Rajesh
0
 
jordi67Author Commented:
I would like to thank your for your tips, 100%
I 've decided not to publish DC services cause this will open a hel of ports, which even behind pix I don't trust
I will publish secure imap for outlook and maybe sftp for file service
this way itt will cost me only 2 ports.

thanks again
Best regards
Jordi
0
 
rsivanandanCommented:
Yeah that could work as well but it depends solely on the kind of access you want to give them though :-)

Believe me, at some point of time, somebody would like RDP, then Outlook client, then Terminal Services to the server and it might grow on... But it is later though :-)

Cheers,
Rajesh
0
 
jordi67Author Commented:
and thats what I'm afraid of :) its a matter of time
I remmember when everyone was happy to get his mails through dialup
and now....

all the best deer friend
0
 
rsivanandanCommented:
:-)

Cheers,
Rajesh
0
All Courses

From novice to tech pro — start learning today.