VPN Client to PIX 7.2

Unanswered Question
Mar 7th, 2007

I am new to PIX and I would like to set up a connection so I can connect to PIX over the internet. I have the client software. What is a basic configuration can I use on the pix to make this work.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ljohnson21 Wed, 03/07/2007 - 18:30

I was able to set up the client vpn connection but once I have a connection I am not able to connect to any devices on the inside network. The client also gets a default gateway which is the same as the ip address. Is this normal? I am only able to ping the inside interface of the PIX but no other devices in the network. Any help would be greatly appreciated.

Thanks,

L

kaachary Thu, 03/08/2007 - 04:51

Hi,

Enable "isakmp nat-t" on the PIX.

Hope this helps !!

-Kanishka

ljohnson21 Thu, 03/08/2007 - 06:56

Hi Kanishka,

I tried this command but it did not help. the host uses it's own ip address as the default gateway. Is this normal? How can I change this?

Thanks,

kaachary Thu, 03/08/2007 - 07:02

If you do not have split tunneling enabled, the client will always have the pool iip as the default gateway. Its normal.

I would like to check the NAT rules on the PIX, if you can post them.

-Kanishka

ljohnson21 Thu, 03/08/2007 - 07:28

The inside network is 1.1.1.0/24. Below are the ACL's and NAT rules.

ip local pool remotevpn 1.1.1.245-1.1.1.246 mask 255.255.255.252

access-list INSIDE_nat0_outbound extended permit ip any 1.1.1.244 255.255.255.252

global (OUTSIDE) 1 interface

nat (INSIDE) 0 access-list INSIDE_nat0_outbound

nat (INSIDE) 1 1.1.1.0 255.255.255.0

access-list OUTSIDE extended permit ip any any

access-list INSIDE_access_in extended permit ip any any

access-list OUTSIDE_access_in extended permit ip any any

access-group INSIDE_access_in in interface INSIDE

access-group OUTSIDE_access_in in interface OUTSIDE

access-group OUTSIDE out interface OUTSIDE

crypto isakmp nat-traversal 20

Thanks,

L

kaachary Thu, 03/08/2007 - 08:08

Hi,

Its not recommneded to have pool of the same subnet as the inside network as it will lead to routing issues.

Change the pool to any other subnet and also make the corresponding changes in the NAT 0 ACL.

Let me know if this helps.

-Kanishka

Actions

This Discussion