PIX515E VPN Client cannot communicate with internal vlans

Answered Question
Feb 28th, 2007

outside users connect using vpn client ver:4.6.03 to a pix515e successfully. They can access our subnet of 172.16.0.0 with no issues. However when trying to access anything on one of our other networks (VLANS) or point to point t1 lans, they cannot. Our router is a 3845 that is the gateway between these lans.

I am not sure if this is an issue at our 3845 or our PIX. Any help would be appreciated. Thank you in advance.

I have this problem too.
0 votes
Correct Answer by ggilbert about 9 years 7 months ago

Can you please make sure that you have the nat configured properly.

Are you doing split tunneling?

If so, make sure your split tunneling ACL does have the networks for the VPN client pool.

Thanks

Gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Loading.
ggilbert Wed, 02/28/2007 - 16:23

Hi,

If I understand your statement correct, the 3845 router ethernet is in the same segment as the inside interface of the PIX firewall, correct?

So, you are trying to access subnets which are behind the 3845 router, correct?

Are you doing split-tunneling for the VPN clients?

For eg:

Lets just say you are assigning an IP address range of 192.168.20.x to your VPN clients.

If the internal IP address of PIX 172.16.0.1

If there is a network like 10.10.10.x connected to this 3845 router, make sure you have an ip route statement on the router which says

ip route 192.168.20.0 255.255.255.0 172.16.0.1

Let me know how this works out.

Rate this topic, if it helps!

Cheers

Gilbert

richkrissi Wed, 02/28/2007 - 16:42

Correct on your first statement...same segment.

Correct on second question.. have sub interfaces( vlans) on 3845.

We are doing split-tunneling for our clients.

I do have a static route on the 3845...

ip route 192.168.200.0 255.255.255.0 to inside interface of PIX 172.16.0.1

I can ping devices on those vlans from the pix with no issue...but not from the client.

I am stumped here....thank you very much for helping!

acomiskey Wed, 02/28/2007 - 18:55

Check that your crypto acl and your no nat acl include these inside subnets, not only your 172.16 network.

ggilbert Wed, 02/28/2007 - 19:23

Sorry "acomiskey" - I did not see your post before posting my answer.

Correct Answer
ggilbert Wed, 02/28/2007 - 19:21

Can you please make sure that you have the nat configured properly.

Are you doing split tunneling?

If so, make sure your split tunneling ACL does have the networks for the VPN client pool.

Thanks

Gilbert

richkrissi Thu, 03/01/2007 - 09:01

Adding the subnet I needed to get to in split tunneling worked! Thank you very much for your help! Appreciate everyones help on this issue.

Actions

This Discussion