Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
6
Helpful
7
Replies

PIX515E VPN Client cannot communicate with internal vlans

Go to solution
richkrissi
Level 1
Level 1

‎02-28-2007 02:54 PM - edited ‎03-11-2019 02:39 AM

outside users connect using vpn client ver:4.6.03 to a pix515e successfully. They can access our subnet of 172.16.0.0 with no issues. However when trying to access anything on one of our other networks (VLANS) or point to point t1 lans, they cannot. Our router is a 3845 that is the gateway between these lans.

I am not sure if this is an issue at our 3845 or our PIX. Any help would be appreciated. Thank you in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to richkrissi

‎02-28-2007 07:21 PM

Can you please make sure that you have the nat configured properly.

Are you doing split tunneling?

If so, make sure your split tunneling ACL does have the networks for the VPN client pool.

Thanks

Gilbert

View solution in original post

0 Helpful
7 Replies 7

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎02-28-2007 04:23 PM

Hi,

If I understand your statement correct, the 3845 router ethernet is in the same segment as the inside interface of the PIX firewall, correct?

So, you are trying to access subnets which are behind the 3845 router, correct?

Are you doing split-tunneling for the VPN clients?

For eg:

Lets just say you are assigning an IP address range of 192.168.20.x to your VPN clients.

If the internal IP address of PIX 172.16.0.1

If there is a network like 10.10.10.x connected to this 3845 router, make sure you have an ip route statement on the router which says

ip route 192.168.20.0 255.255.255.0 172.16.0.1

Let me know how this works out.

Rate this topic, if it helps!

Cheers

Gilbert

Go to solution
richkrissi
Level 1
Level 1
In response to ggilbert

‎02-28-2007 04:42 PM

Correct on your first statement...same segment.

Correct on second question.. have sub interfaces( vlans) on 3845.

We are doing split-tunneling for our clients.

I do have a static route on the 3845...

ip route 192.168.200.0 255.255.255.0 to inside interface of PIX 172.16.0.1

I can ping devices on those vlans from the pix with no issue...but not from the client.

I am stumped here....thank you very much for helping!

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to richkrissi

‎02-28-2007 06:55 PM

Check that your crypto acl and your no nat acl include these inside subnets, not only your 172.16 network.

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to acomiskey

‎02-28-2007 07:23 PM

Sorry "acomiskey" - I did not see your post before posting my answer.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to ggilbert

‎02-28-2007 07:27 PM

no problems :)

0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to richkrissi

‎02-28-2007 07:21 PM

Can you please make sure that you have the nat configured properly.

Are you doing split tunneling?

If so, make sure your split tunneling ACL does have the networks for the VPN client pool.

Thanks

Gilbert

0 Helpful

Go to solution
richkrissi
Level 1
Level 1
In response to ggilbert

‎03-01-2007 09:01 AM

Adding the subnet I needed to get to in split tunneling worked! Thank you very much for your help! Appreciate everyones help on this issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card