Hello.
I am a new user here on the Tek-Tips forums, and this is my first post. I am a network engineer for an IT contract company in Indiana, USA.
I have the basic knowledge and growing experience with Cisco PIX units. I have ran into a situation that is above my understanding, however.
One of our customers offers medical services and has a relationship with a nearby hospital. This organization and the hospital are separate entities. As part of the relationship, our customer gets internet access from the hospital. The customer recently moved to a new building.
The old building was connected with the hospital through a WAN link. I'm not too familiar with the setup of the old building, but I know they had a Cisco 2600 router that separated their network from the hospital network.
The new building does not have the WAN link. In fact, we are so close to the hospital, we have a fiber connection directly to the hospital's network. If I plug my PC into the transceiver, I will get a DHCP address from a hospital server.
The company has 5 servers, including file and print servers, DNS, DHCP, antivirus, SQL, RAS, domain controllers, and more. It is in it's own domain. It was previously setup on the 10.202.x.x network. We did not want to reconfigure all of our servers for a new IP range, and we certainly did not want to make ourselves a part of the hospital's network (for DHCP, printing, etc.).
We placed a PIX 506e between our network and theirs. Their network is also behind a PIX firewall, but I do not know the model nor do I have access to it. I can, however, talk to person in charge of it.
Because they are a hospital, access to network from the outside is strictly controlled. We have been given VPN access into their network. We are allowed one connection, and it will always receive the same IP address. I need to have that VPN address translated into an IP address on our network.
The hospital network admin says he has routed the 10.202.x.x network to our PIX outside IP. I can VPN into the hospital network and ping the PIX outside IP, but cannot access any servers behind the PIX.
The VPN-connection-assigned internal address is 192.168.252.31. I have given this connection the name vpn_conn by doing
[tt]
names
name 192.168.252.31 vpn_conn
[/tt]
I have created an ACL.
[tt]
access-list acl_vpn_conn permit icmp any any
access-list acl_vpn_conn permit tcp any host vpn_conn
access-list acl_vpn_conn permit udp any host vpn_conn
access-group acl_vpn_conn in interface outside
[/tt]
I have also created a static IP entry.
[tt]
static (outside,inside) 10.202.1.25 vpn_conn netmask 255.255.255.255 0 0
[/tt]
I think my problem may lie in the 10.202.1.25 address, as it does not refer to any specific device. I would like for any connection from the vpn_conn address to receive the reserved 10.202.1.25 IP address.
There may be other things I am missing too. I have to step out of the office here, but wanted to get at least this information out there for you to chew on. What do you suggest I try? Or are there things that I need to have the hospital's network admin do to his PIX? He cannot open an outside static IP address for me to use because it would violate their established policy. Am I out of luck here?
Thank you for your help...
JH
I am a new user here on the Tek-Tips forums, and this is my first post. I am a network engineer for an IT contract company in Indiana, USA.
I have the basic knowledge and growing experience with Cisco PIX units. I have ran into a situation that is above my understanding, however.
One of our customers offers medical services and has a relationship with a nearby hospital. This organization and the hospital are separate entities. As part of the relationship, our customer gets internet access from the hospital. The customer recently moved to a new building.
The old building was connected with the hospital through a WAN link. I'm not too familiar with the setup of the old building, but I know they had a Cisco 2600 router that separated their network from the hospital network.
The new building does not have the WAN link. In fact, we are so close to the hospital, we have a fiber connection directly to the hospital's network. If I plug my PC into the transceiver, I will get a DHCP address from a hospital server.
The company has 5 servers, including file and print servers, DNS, DHCP, antivirus, SQL, RAS, domain controllers, and more. It is in it's own domain. It was previously setup on the 10.202.x.x network. We did not want to reconfigure all of our servers for a new IP range, and we certainly did not want to make ourselves a part of the hospital's network (for DHCP, printing, etc.).
We placed a PIX 506e between our network and theirs. Their network is also behind a PIX firewall, but I do not know the model nor do I have access to it. I can, however, talk to person in charge of it.
Because they are a hospital, access to network from the outside is strictly controlled. We have been given VPN access into their network. We are allowed one connection, and it will always receive the same IP address. I need to have that VPN address translated into an IP address on our network.
The hospital network admin says he has routed the 10.202.x.x network to our PIX outside IP. I can VPN into the hospital network and ping the PIX outside IP, but cannot access any servers behind the PIX.
The VPN-connection-assigned internal address is 192.168.252.31. I have given this connection the name vpn_conn by doing
[tt]
names
name 192.168.252.31 vpn_conn
[/tt]
I have created an ACL.
[tt]
access-list acl_vpn_conn permit icmp any any
access-list acl_vpn_conn permit tcp any host vpn_conn
access-list acl_vpn_conn permit udp any host vpn_conn
access-group acl_vpn_conn in interface outside
[/tt]
I have also created a static IP entry.
[tt]
static (outside,inside) 10.202.1.25 vpn_conn netmask 255.255.255.255 0 0
[/tt]
I think my problem may lie in the 10.202.1.25 address, as it does not refer to any specific device. I would like for any connection from the vpn_conn address to receive the reserved 10.202.1.25 IP address.
There may be other things I am missing too. I have to step out of the office here, but wanted to get at least this information out there for you to chew on. What do you suggest I try? Or are there things that I need to have the hospital's network admin do to his PIX? He cannot open an outside static IP address for me to use because it would violate their established policy. Am I out of luck here?
Thank you for your help...
JH
