03-12-2007 03:27 PM - edited 02-21-2020 02:55 PM
Hi everyone. is it possible to have different VPN pools with different subnets using the PIX 515E?
We're trying to put our call center agents working from home on the 192.168.20.0/24 pool and our stores on the 192.168.10.0/24 pool, all while they can access our internal subnet 192.168.0.0/24 at the main headquarters. What are the steps to make this happen?
03-12-2007 05:00 PM
Hi,
Since you are talking about pools, I'm responding with the understanding that you are trying to get VPN clients connected to the PIX.
Yes it is possible. You need to configure 2 different pools and two different groups with relevant pool bound with it. E.g. :
If you are running 6.3.x :
ip local pool pool1 192.168.20.1-192.168.20.254 mask 255.255.255.0
ip local pool pool2 192.168.10.1-192.168.10.254 mask 255.255.255.0
vpngroup xyz address-pool pool1
vpngroup abc address-pool pool2
If you are running 7.x :
ip local pool pool1 192.168.20.1-192.168.20.254 mask 255.255.255.0
ip local pool pool2 192.168.10.1-192.168.10.254 mask 255.255.255.0
tunnel-group xyz general-attributes
address-pool pool1
tunnel-group abc general-attributes
address-pool pool2
HTH,
Please rate if it helps,
Regards,
Kamal
03-12-2007 08:14 PM
Hi Kamal! Thank you very much for your response. I have attempted to apply the config on my PIX 515E v7.0(2), but it rejects the following:
tunnel-group xyz general-attributes
address-pool pool1
tunnel-group abc general-attributes
address-pool pool2
Is this the right config syntax? Another thing I'm concerned with is will the PIX route the VPN subnets properly.
03-13-2007 02:52 AM
Hi,
The syntax is correct. Please make sure that you are in config mode while configuring these commands and that you exit from the tunnel-group mode before configuring the next tunnel-group.
HTH,
Please rate if it helps.
Regards,
Kamal
03-13-2007 02:57 AM
The PIX will not accept the command until you create the tunnel-group using :
tunnel-group abc type ipsec-ra
and then :
tunnel-group abc general-attirbutes
address-pool ippool
exit
-Kanishka
03-15-2007 11:00 AM
Ok, it is accepting the commands now. Thanks. Now, the next part. After implementing this, I cannot create a tunnel. Using Cisco's VPN 4.7 client, it would try to create a secure channel after entering the tunnel group and secret passphrase, and then disconnect. I can't figure out why this keeps happening. Could it have to do with the VPN settings not accepting different VPN subnets? I'm suspecting it could be ACLs or routing, but would like to find out if it could be VPN related.
03-15-2007 08:11 PM
It works! It works! After playing around with the IPsec Rules and the Group Policy, everything worked. Different VPN subnets were able to connect to the HQ LAN without as much as touching a static route! Thanks everyone for your help!! :-)
03-16-2007 10:43 AM
I have another question on this... Say for instance you have someone trying to connect from home with 192.168.1.1 creating a VPN tunnel to their office network of which is also 192.168.1.1 could you in fact create a "Pool" that would change the home users IP address so that they could talk to the 192.168.1.1 addresses on the work network>?
03-23-2007 11:37 AM
To prevent any potential problems with same IPs, I changed the subnet at home to something that is completely different. I used a subnet of 192.168.20.0/24 on my home network, with the knowledge that my company's network is 192.168.0.0/24, while the other VPN tunnels are also on different subnets as well.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: