Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 501: Access an IPSEC VPN through a PPTP VPN - is this possible?

Reply
Thread Tools

PIX 501: Access an IPSEC VPN through a PPTP VPN - is this possible?

 
 
Alex
Guest
Posts: n/a
 
      05-11-2004
Hello,

I have a PIX 501 configured as my Internet firewall at home. I currently
have an IPSEC VPN configured to connect to servers/PCs at work (using the
crypto/isakmp commands), and I also have a PPTP VPN configured (using the
vpdn commands) so I can "dial-in" to my home network wherever I am.

Is there a way to use the PPTP connection to access the network behind the
IPSEC VPN? I currently "dial-in", use RDP to connect to XP on a PC on my
home network, then from that session use RDP to connect to the servers at
work. I want to do this directly through my PIX, if possible - e.g. when I
don't have any PCs switched on at home.

Any ideas?

Thanks,
Alex

--



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-11-2004
In article <x25oc.16$(E-Mail Removed)>,
Alex <(E-Mail Removed)> wrote:
:I have a PIX 501 configured as my Internet firewall at home. I currently
:have an IPSEC VPN configured to connect to servers/PCs at work (using the
:crypto/isakmp commands), and I also have a PPTP VPN configured (using the
:vpdn commands) so I can "dial-in" to my home network wherever I am.

:Is there a way to use the PPTP connection to access the network behind the
:IPSEC VPN? I currently "dial-in", use RDP to connect to XP on a PC on my
:home network, then from that session use RDP to connect to the servers at
:work. I want to do this directly through my PIX, if possible - e.g. when I
:don't have any PCs switched on at home.

No, you can't do that. PIX will never send packets out the same
[logical] interface the packets came in on, even when tunnels are
involved. Think of it as if the packet was tagged with the interface
it arrived on and there being no way to remove that tag to convince it
to go out the same interface it came in. [Because otherwise, how do
you define the security policies that should apply? Is the IPSec VPN
the "higher security" interface than the PPTP tunnel, or the other way
around?]
--
Feep if you love VT-52's.
 
Reply With Quote
 
 
 
 
john
Guest
Posts: n/a
 
      05-11-2004
"Alex" <> wrote in message news
> Hello,
> I have a PIX 501 configured as my Internet firewall at home. I currently
> have an IPSEC VPN configured to connect to servers/PCs at work (using the
> crypto/isakmp commands), and I also have a PPTP VPN configured (using the
> vpdn commands) so I can "dial-in" to my home network wherever I am.
>
> Is there a way to use the PPTP connection to access the network behind the
> IPSEC VPN? I currently "dial-in", use RDP to connect to XP on a PC on my
> home network, then from that session use RDP to connect to the servers at
> work. I want to do this directly through my PIX, if possible - e.g. when I
> don't have any PCs switched on at home.
>
> Any ideas?
>
> Thanks,
> Alex



Hi:
Here's an outside the box idea: how about
a service like gotomypc.com
I'm sure if there is another similar product out
there, but since this is the only one I have used
with good results, I am reluctant to recomend others.
I use it to "view" what's on some one else's computer
and manipulate the screen for them while they watch.
john


 
Reply With Quote
 
Guest
Posts: n/a
 
      05-11-2004
First, the PIX won't route. And will never send a packet back out the same
interface it came in on. You could use a router with the firewall IOS, this
does work. Now the rest of this is THEORY, and while I started to put this
together at one point I wasn't able to finish it maybe you can. It also
requires a router, but it would only need a basic IOS and a single Ethernet
port. I hope you're good with route-map, virtual interfaces, and NAT.

Add the router to your LAN as a router-on-a-stick.
Give it 2 IP addresses, primary on your LAN and secondary lets say
192.168.1.1
Add a route to the PIX <company-LAN> 192.168.1.1 (I know, bear with me), and
a route for 192.168.1.0 to the inside interface.
On the router use an ACL to identify the traffic destine for the company-LAN
and using route-map forward it to a virtual interface with a next hop of the
FAR END of the company-VPN tunnel.
The virtual interface should also be nat inside, the Ethernet nat outside,
and use Ethernet interface address for the translation.
Set the routers default gateway to the PIX.

Now if this twisted idea works traffic to you company LAN should flow as
follows;
From you remote client to the PIX which should send it on to the router. The
source address is translated and the original source MAC is lost. The router
sends it back out to the PIX with every indication that it actually
originated from the router. Even though the traffic is bound for the company
LAN the PIX passes it on to the indicated next hop, which it knows is at the
far end of the tunnel.

Now I'm not saying this will work. And you would have to send all traffic
destine for the company LAN to the router first.

The Firewall IOS would be easier.


"Alex" <(E-Mail Removed)> wrote in message
news25oc.16$(E-Mail Removed)...
> Hello,
>
> I have a PIX 501 configured as my Internet firewall at home. I currently
> have an IPSEC VPN configured to connect to servers/PCs at work (using the
> crypto/isakmp commands), and I also have a PPTP VPN configured (using the
> vpdn commands) so I can "dial-in" to my home network wherever I am.
>
> Is there a way to use the PPTP connection to access the network behind the
> IPSEC VPN? I currently "dial-in", use RDP to connect to XP on a PC on my
> home network, then from that session use RDP to connect to the servers at
> work. I want to do this directly through my PIX, if possible - e.g. when I
> don't have any PCs switched on at home.
>
> Any ideas?
>
> Thanks,
> Alex
>
> --
>
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configure Cisco PIX515e PPTP VPN Clients to allow access to another network across a IPSEC Tunnel ashley.lawrence@gmail.com Cisco 2 08-22-2007 08:32 PM
outbound VPN access through PIX with fixup pptp darkcape@yahoo.com Cisco 2 03-03-2007 04:05 AM
Strange problem when using PPTP VPN through Cisco PIX trond@hindenes.com Cisco 1 10-21-2005 02:23 PM
mixing pix-to-pix vpn and pptp-dial-in-vpn on pix501 Tom Cisco 4 11-17-2004 02:18 PM
IPSec vs. L2TP/IPsec vs. PPTP David Cisco 0 01-07-2004 04:03 AM



Advertisments