Multiple Servers Behind Firewall, want 1 of them to use Point-to-Point tunnel to remote Sonicwall

I have a configuration with multiple VM's hosted behind a Pix 506e running 6.3(5) (i know, we are in the process of replacing it, but for now i need to use it), and i need to have 1 of them to connect to a remote location via a point to point tunnel(sonicwall). when i use this configuration, the main firewall see the tunnel, not the specific machine that i am wanting to see the tunnel.

 

any ideas?? thanks in advance.

 

 

 

12.34.56.154 is the external address of the server we want to access the external server behind the sonicwall

56.78.89.184 is the internal address of the same server

98.87.65.217 is the external address of the server for the sonicwall

10.10.10.15 is the internal address of the sonicwall server

 

sample config


fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 105 permit tcp any host 12.34.56.153 eq 7899
access-list 105 permit udp any host 12.34.56.153 eq 7899
access-list 105 permit tcp any host 12.34.56.152 eq ftp
access-list 105 permit udp any host 12.34.56.152 eq 21
access-list 105 permit tcp any host 12.34.56.152 eq ftp-data
access-list 105 permit udp any host 12.34.56.152 eq 20
access-list 105 permit tcp any host 12.34.56.154 eq www
access-list 105 permit udp any host 12.34.56.154 eq www
access-list 105 permit tcp any host 12.34.56.154 eq 7899
access-list 105 permit udp any host 12.34.56.154 eq 7899
access-list 105 permit tcp any host 12.34.56.155 eq www
access-list 105 permit udp any host 12.34.56.155 eq www
static (inside,outside) 12.34.56.153 56.78.89.183 netmask 255.255.255.255 00
static (inside,outside) 12.34.56.152 56.78.89.182 netmask 255.255.255.255 00
static (inside,outside) 12.34.56.154 56.78.89.184 netmask 255.255.255.255 00
static (inside,outside) 12.34.56.155 56.78.89.185 netmask 255.255.255.255 00
static (inside,outside) udp 12.34.56.152 www 56.78.89.182 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.153 www 56.78.89.183 www netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.153 www 56.78.89.183 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.153 7899 56.78.89.183 7899 netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.153 7899 56.78.89.183 7899 netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.152 ftp 56.78.89.182 ftp netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.152 21 56.78.89.182 21 netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.152 ftp-data 56.78.89.182 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.152 20 56.78.89.182 20 netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.154 www 56.78.89.184 www netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.154 www 56.78.89.184 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.154 7899 56.78.89.184 7899 netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.154 7899 56.78.89.184 7899 netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.155 www 56.78.89.185 www netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.155 www 56.78.89.185 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.155 7899 56.78.89.185 7899 netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.155 7899 56.78.89.185 7899 netmask 255.255.255.255 0 0
access-list acl-out permit udp host 12.34.56.154 host 192.169.60.184 eq isakmp
access-list acl-out permit udp host 12.34.56.154 host 56.78.89.184 eq 4500
access-group acl-out in interface outside
access-list 105 permit ip host 56.78.89.184 host 10.10.10.15
access-list 105 permit ip host 10.10.10.15 host 56.78.89.184
access-list nonat permit ip host 56.78.89.184 host 10.10.10.15
access-list nonat permit ip host 10.10.10.15 host 56.78.89.184
access-list caplist permit ip host 12.34.56.154 host 98.87.65.217
access-list caplist permit ip host 98.87.65.217 host 12.34.56.154
crypto ipsec transform-set nsset esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map nsmap 10 ipsec-isakmp
crypto map nsmap 10 match address 105
crypto map nsmap 10 set peer 98.87.65.217
crypto map nsmap 10 set transform-set nsset
crypto map nsmap interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal 20
isakmp key ************* address 98.87.65.217 netmask 255.255.255.255 no-xauth
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
rodnig1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RafaelCommented:
Rather than stand up both at the same time. It would be best to stand up the first VPN and work out all the qinks before working on the second one. That would help isolate any issues help get the first one quickly.

That said, I'll look at it and go from there.
rodnig1Author Commented:
i only have the 1 VPN, but we are hosting multiple servers behind the PIX all NAT'd with external IP addresses.

I only need 1 Server to access the remote VPN tunnel, not all of them.
cef_soothsayerCommented:
Ok, so you only want ONE machine behind your firewall to have VPN access to a remote network that has a Sonicwall?

Is simply installing the Sonicwall Global VPN client on that one machine a possibility?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Benjamin Van DitmarsSr Network EngineerCommented:
why not setup an ipsec vpn tunnel. there made to do this.

just add as local (pix) the local side is the address of the server /32 and the remote network.
do the same on the other side and youre done.
frankhelkCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- cef_soothsayer (https:#a41029203)
-- Benjamin Van Ditmars (https:#a41039760)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

frankhelk
Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.