PIX 501: Access an IPSEC VPN through a PPTP VPN - is this possible?

Discussion in 'Cisco' started by Alex, May 11, 2004.

  1. Alex

    Alex Guest

    Hello,

    I have a PIX 501 configured as my Internet firewall at home. I currently
    have an IPSEC VPN configured to connect to servers/PCs at work (using the
    crypto/isakmp commands), and I also have a PPTP VPN configured (using the
    vpdn commands) so I can "dial-in" to my home network wherever I am.

    Is there a way to use the PPTP connection to access the network behind the
    IPSEC VPN? I currently "dial-in", use RDP to connect to XP on a PC on my
    home network, then from that session use RDP to connect to the servers at
    work. I want to do this directly through my PIX, if possible - e.g. when I
    don't have any PCs switched on at home.

    Any ideas?

    Thanks,
    Alex

    --
     
    Alex, May 11, 2004
    #1
    1. Advertising

  2. In article <x25oc.16$>,
    Alex <> wrote:
    :I have a PIX 501 configured as my Internet firewall at home. I currently
    :have an IPSEC VPN configured to connect to servers/PCs at work (using the
    :crypto/isakmp commands), and I also have a PPTP VPN configured (using the
    :vpdn commands) so I can "dial-in" to my home network wherever I am.

    :Is there a way to use the PPTP connection to access the network behind the
    :IPSEC VPN? I currently "dial-in", use RDP to connect to XP on a PC on my
    :home network, then from that session use RDP to connect to the servers at
    :work. I want to do this directly through my PIX, if possible - e.g. when I
    :don't have any PCs switched on at home.

    No, you can't do that. PIX will never send packets out the same
    [logical] interface the packets came in on, even when tunnels are
    involved. Think of it as if the packet was tagged with the interface
    it arrived on and there being no way to remove that tag to convince it
    to go out the same interface it came in. [Because otherwise, how do
    you define the security policies that should apply? Is the IPSec VPN
    the "higher security" interface than the PPTP tunnel, or the other way
    around?]
    --
    Feep if you love VT-52's.
     
    Walter Roberson, May 11, 2004
    #2
    1. Advertising

  3. Alex

    john Guest

    "Alex" <> wrote in message news
    > Hello,
    > I have a PIX 501 configured as my Internet firewall at home. I currently
    > have an IPSEC VPN configured to connect to servers/PCs at work (using the
    > crypto/isakmp commands), and I also have a PPTP VPN configured (using the
    > vpdn commands) so I can "dial-in" to my home network wherever I am.
    >
    > Is there a way to use the PPTP connection to access the network behind the
    > IPSEC VPN? I currently "dial-in", use RDP to connect to XP on a PC on my
    > home network, then from that session use RDP to connect to the servers at
    > work. I want to do this directly through my PIX, if possible - e.g. when I
    > don't have any PCs switched on at home.
    >
    > Any ideas?
    >
    > Thanks,
    > Alex



    Hi:
    Here's an outside the box idea: how about
    a service like gotomypc.com
    I'm sure if there is another similar product out
    there, but since this is the only one I have used
    with good results, I am reluctant to recomend others.
    I use it to "view" what's on some one else's computer
    and manipulate the screen for them while they watch.
    john
     
    john, May 11, 2004
    #3
  4. Alex

    Guest Guest

    First, the PIX won't route. And will never send a packet back out the same
    interface it came in on. You could use a router with the firewall IOS, this
    does work. Now the rest of this is THEORY, and while I started to put this
    together at one point I wasn't able to finish it maybe you can. It also
    requires a router, but it would only need a basic IOS and a single Ethernet
    port. I hope you're good with route-map, virtual interfaces, and NAT.

    Add the router to your LAN as a router-on-a-stick.
    Give it 2 IP addresses, primary on your LAN and secondary lets say
    192.168.1.1
    Add a route to the PIX <company-LAN> 192.168.1.1 (I know, bear with me), and
    a route for 192.168.1.0 to the inside interface.
    On the router use an ACL to identify the traffic destine for the company-LAN
    and using route-map forward it to a virtual interface with a next hop of the
    FAR END of the company-VPN tunnel.
    The virtual interface should also be nat inside, the Ethernet nat outside,
    and use Ethernet interface address for the translation.
    Set the routers default gateway to the PIX.

    Now if this twisted idea works traffic to you company LAN should flow as
    follows;
    From you remote client to the PIX which should send it on to the router. The
    source address is translated and the original source MAC is lost. The router
    sends it back out to the PIX with every indication that it actually
    originated from the router. Even though the traffic is bound for the company
    LAN the PIX passes it on to the indicated next hop, which it knows is at the
    far end of the tunnel.

    Now I'm not saying this will work. And you would have to send all traffic
    destine for the company LAN to the router first.

    The Firewall IOS would be easier.


    "Alex" <> wrote in message
    news:x25oc.16$...
    > Hello,
    >
    > I have a PIX 501 configured as my Internet firewall at home. I currently
    > have an IPSEC VPN configured to connect to servers/PCs at work (using the
    > crypto/isakmp commands), and I also have a PPTP VPN configured (using the
    > vpdn commands) so I can "dial-in" to my home network wherever I am.
    >
    > Is there a way to use the PPTP connection to access the network behind the
    > IPSEC VPN? I currently "dial-in", use RDP to connect to XP on a PC on my
    > home network, then from that session use RDP to connect to the servers at
    > work. I want to do this directly through my PIX, if possible - e.g. when I
    > don't have any PCs switched on at home.
    >
    > Any ideas?
    >
    > Thanks,
    > Alex
    >
    > --
    >
    >
    >
     
    Guest, May 12, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    IPSec vs. L2TP/IPsec vs. PPTP

    David, Jan 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    6,796
    David
    Jan 7, 2004
  2. driley
    Replies:
    0
    Views:
    512
    driley
    Apr 14, 2004
  3. xman
    Replies:
    4
    Views:
    4,728
    Walter Roberson
    May 16, 2005
  4. Replies:
    2
    Views:
    783
    Walter Roberson
    Mar 3, 2007
  5. Replies:
    2
    Views:
    1,036
    Walter Roberson
    Aug 22, 2007
Loading...

Share This Page