Cisco VPN Client to PIX 501 queries - subnet mask and default gateway

d.bigerstaff · ‎02-26-2007

Hi there,

I have a network as follows.

HQ Site with a PIX 501 version 6.3(3) with PDM 3.0(1). This uses a LAN ip of 10.0.0.254/24 and a public IP for the outside interface. Remote users can connect via Cisco VPN Client and access the LAN resources apparently fine.

There is however a couple of problems.

The subnet mask given is 255.0.0.0 where it should be 255.255.255.0.

Also the default gateway is given as 10.0.0.1 where this ideally wouldnt be given so the remote user can still use their router's gateway for all normal internet traffic, or if giving a default gateway is completely unavoidable being able to set this to 10.0.0.254 instead of 10.0.0.1.

I've had a look at the vpngroup commands and into my config and I cant see where either the subnet mask or default gateway is given out.

Can anyone suggest where to start looking or offer me any kind of advice?

Thanks for your time.

acomiskey · ‎02-26-2007

Your vpn clients should not be on the same subnet as your inside. The gateway assigned will be the same as the ip address assigned by pix.

For internet access, look into split tunneling.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html#wp1076294

d.bigerstaff · ‎02-26-2007

ok, so say i give the remote users an IP of 10.0.1.0/24.

how would they know that the 10.0.0.0/24 network is over the PIX? Would i have to start playing with adding routes on the windows computers or is the cisco VPN client clever in that it also adds routes for the other connected networks?

Also say they automatically got the default gateway of 10.0.1.1 the PIX doesnt have an IP address of that, would creating a VPN group automatically take care of that on the PIX?

Thanks for your quick help, its much appreciate.

acomiskey · ‎02-26-2007

The pix determines the subnet mask to assign by the class of the address, for example 10./8, 172./16, 192./24. Your users will get /8 mask.

d.bigerstaff · ‎02-27-2007

Right, i've now set up the vpngroup to give out IP addresses on a different network.

My PIX LAN is still 10.0.0.0/24 but my remote users will get an IP in 192.168.102.0/24.

This still brings me to a default gateway problem. The cisco client is picking up a default gateway address of 192.168.102.1 and this does not exist on my PIX. is there a way to create a virtual or vpn interface on the pix so i can route between VPN users and the local resources?

Thanks again for your time.

acomiskey · ‎02-27-2007

The client default gateway will be itself, if client gets 192.168.102.2, it's gateway would be the same. This is typical behavior, it does not need to exist on your pix and you do not need to add routes to your vpn clients. Are you having issues getting your remote vpn users to connect to inside resources?

d.bigerstaff · ‎02-27-2007

I'm starting to understand now. When i first connected to the VPN i checked "ipconfig" and "route print" which showed me a default gateway of 192.168.102.1, my first instinct was to ping the default gateway and of course this failed.

I can access local resources, i can ping our windows server and access the exchange server fine.

I cant however access the internet. I checked the tickbox which enabled split tunneling on the PDM VPN wizard and selected "any" on the next page.

I have attached portions of the config incase that can shed some light on my problem.

Thanks again for your help.

acomiskey · ‎02-27-2007

Your split tunnel acl is permit ip any any, this means encrypt everything. If you want simultaneous unencrypted access to the internet over the vpn you have to alter this acl. Please be aware of the security concerns of split tunneling.

access-list VPNTest_splitTunnelAcl permit ip