pix, vpn and statics

Discussion in 'Cisco' started by P, Aug 5, 2004.

  1. P

    P Guest

    I'm a little rusty, not having used a pix for 18 months or so.

    But I helped one of our clients set up an IPSEC VPN to us (terminated on a
    3725 router).

    I defined the ACL for VPN'd traffic and then had him apply that to NAT 0 on
    his PIX. IPSEC worked fine but then he got a no translation group error when
    the decrypted traffic from me hit his pix. I got him to put in a static for
    the destination IP address and then it worked.

    But

    Does this now preclude the destination machine (the one defined in the
    static) of getting any non VPN outbound access since a static has been
    defined from inside to outside that is a private address? (and a static
    overrides NAT rules right?)

    This is undesirable. I want to get to sites like windowsupdate and
    security.debian.org from my clients end, only traffic destined for a portion
    of my network will go via the ipsec tunnel.

    I can't quite remember how it all works now.. I recall a global pix command
    that effectively says "if you have come in via VPN, I will not pass you thru
    the ACL's.." but this is also undesirable as this opens it up too much..

    Is there a happy medium?

    thanks

    P


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.729 / Virus Database: 484 - Release Date: 27/07/2004
     
    P, Aug 5, 2004
    #1
    1. Advertising

  2. P

    Mirko Guest

    I have a similar problem I'm working on to, I just got a suggestion to have
    a look at

    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

    (Configuring a Router IPSec Tunnel Private-to-Private Network with NAT and a
    Static)

    Maybe it could help.


    Mirko


    "P" <> ha scritto nel messaggio
    news:QbeQc.2$...
    > I'm a little rusty, not having used a pix for 18 months or so.
    >
    > But I helped one of our clients set up an IPSEC VPN to us (terminated on a
    > 3725 router).
    >
    > I defined the ACL for VPN'd traffic and then had him apply that to NAT 0

    on
    > his PIX. IPSEC worked fine but then he got a no translation group error

    when
    > the decrypted traffic from me hit his pix. I got him to put in a static

    for
    > the destination IP address and then it worked.
    >
    > But
    >
    > Does this now preclude the destination machine (the one defined in the
    > static) of getting any non VPN outbound access since a static has been
    > defined from inside to outside that is a private address? (and a static
    > overrides NAT rules right?)
    >
    > This is undesirable. I want to get to sites like windowsupdate and
    > security.debian.org from my clients end, only traffic destined for a

    portion
    > of my network will go via the ipsec tunnel.
    >
    > I can't quite remember how it all works now.. I recall a global pix

    command
    > that effectively says "if you have come in via VPN, I will not pass you

    thru
    > the ACL's.." but this is also undesirable as this opens it up too much..
    >
    > Is there a happy medium?
    >
    > thanks
    >
    > P
    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.729 / Virus Database: 484 - Release Date: 27/07/2004
    >
    >
     
    Mirko, Aug 6, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,916
    Martin Bilgrav
    Feb 6, 2004
  2. SuperIce
    Replies:
    2
    Views:
    1,958
    James
    Oct 1, 2004
  3. Svenn
    Replies:
    3
    Views:
    778
    Svenn
    Mar 13, 2006
  4. tomarseneault
    Replies:
    5
    Views:
    4,942
    Daniel-G
    Oct 20, 2008
  5. barret bondon
    Replies:
    3
    Views:
    594
    bod43
    Nov 10, 2010
Loading...

Share This Page