Solved

VPN through PIX then through ISA2004

Posted on 2006-07-13
10
561 Views
Last Modified: 2010-03-05
I would like to configure a VPN tunnel inside a VPN tunnel. the facts

our network:
internet-----PIX------ISA2004-------Switch-----internal network,
I've just solved a problem regarding the Cisco remote access vpn client connectiong to ciscoASA5510 so now it works , I get access to pix and I can see now the external Isa2004 netwrok I would like to establish another vpn if I would like to gain access further into internal network , I 've setup isa as a vpn server using pptp and radius, it works perfectly if not using cisco vpn,
but if I connect from internet and use cisco vpn then inistiate pptp connection to isa I will get connected but no traffic is going on, since I can not get dns settings , I can not ping inside network , it seems that cisco vpn tunnel is not allowing me ,
my question is how should I tell cisco to allow trafic through new tunnel?
I tried split tunniling and created an exemption network which will be exempted from the cisco vpn tunnel ,and this way everything works but is this secure in thes respect? or is there other way to make a vpn tunnel inside a tunnel to work?
thanks in advance

Jordi
0
Comment
Question by:jordi67
  • 6
  • 4
10 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17099922
You are overloading the links. If I were you, I would have the VPN between the client and the pix then configure ISA to allow traffic between the internal lan and the vpn pool ip addresses.

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17100066
I would like the users to login to dc, how can I do that by just allowing trafic between the ip pool addresses and internal lan
reaching exchange server and file server?
please let me know if you have an Idea

thanks
Jordi
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17100131
I don't know about the ISA part, assuming that you will configure it to allow the traffic both ways; you can do this on the pix;

1. You can create 2 access-lists to say 'don't nat' when the traffic is flowing through the vpn tunnel.

vpn user--Net0----------PIX----Net1----ISA---Net2

access-list nonat permit ip Net1 <mask> Net0 <mask>
access-list nonat permit ip Net2 <mask> Net0 <mask>

nat (inside) 0 access-list nonat

Done.

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17101038
so to make it clear ,
net0 should be the vpnpool ip address
net1 should be the inside ip of the pix (external to isa)
net2 is the internal network(inside to isa)where dc,exchange and file server lies
is this correct?
if this is correct,
I just have to configure a way to make the vpn users be able to contact my inside dns (behind isa) so they will resolve the dc name and exchange and be able to login to dc, right?
is it enough to assiagn in vpnpolicy the dns and wins to for the inside network so when clients get connected they will get the dns?

I will try these settings and will let you know
thanks alot for your help
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 250 total points
ID: 17101479
Yes, that is all correct but just one comment.

In ISA, you'll have to allow types of Netbios, basically windows services you want to run.

Cheers,
Rajesh
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17101957
So it worked ? Are you happy about the results ?


Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17101974
I would like to thank your for your tips, 100%
I 've decided not to publish DC services cause this will open a hel of ports, which even behind pix I don't trust
I will publish secure imap for outlook and maybe sftp for file service
this way itt will cost me only 2 ports.

thanks again
Best regards
Jordi
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17102014
Yeah that could work as well but it depends solely on the kind of access you want to give them though :-)

Believe me, at some point of time, somebody would like RDP, then Outlook client, then Terminal Services to the server and it might grow on... But it is later though :-)

Cheers,
Rajesh
0
 

Author Comment

by:jordi67
ID: 17102063
and thats what I'm afraid of :) its a matter of time
I remmember when everyone was happy to get his mails through dialup
and now....

all the best deer friend
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17105484
:-)

Cheers,
Rajesh
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Router help 5 55
security string in a noisy bar 5 75
PCI Compliance Free scan 2 78
Cisco Router / Switch - NAT 10 37
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now