Multi-Subnet VPN to headquarters PIX 515E

eronquillo · ‎03-12-2007

Hi everyone. is it possible to have different VPN pools with different subnets using the PIX 515E?

We're trying to put our call center agents working from home on the 192.168.20.0/24 pool and our stores on the 192.168.10.0/24 pool, all while they can access our internal subnet 192.168.0.0/24 at the main headquarters. What are the steps to make this happen?

Kamal Malhotra · ‎03-12-2007

Hi,

Since you are talking about pools, I'm responding with the understanding that you are trying to get VPN clients connected to the PIX.

Yes it is possible. You need to configure 2 different pools and two different groups with relevant pool bound with it. E.g. :

If you are running 6.3.x :

ip local pool pool1 192.168.20.1-192.168.20.254 mask 255.255.255.0

ip local pool pool2 192.168.10.1-192.168.10.254 mask 255.255.255.0

vpngroup xyz address-pool pool1

vpngroup abc address-pool pool2

If you are running 7.x :

ip local pool pool1 192.168.20.1-192.168.20.254 mask 255.255.255.0

ip local pool pool2 192.168.10.1-192.168.10.254 mask 255.255.255.0

tunnel-group xyz general-attributes

address-pool pool1

tunnel-group abc general-attributes

address-pool pool2

HTH,

Please rate if it helps,

Regards,

Kamal

eronquillo · ‎03-12-2007

Hi Kamal! Thank you very much for your response. I have attempted to apply the config on my PIX 515E v7.0(2), but it rejects the following:

tunnel-group xyz general-attributes

address-pool pool1

tunnel-group abc general-attributes

address-pool pool2

Is this the right config syntax? Another thing I'm concerned with is will the PIX route the VPN subnets properly.

Kamal Malhotra · ‎03-13-2007

Hi,

The syntax is correct. Please make sure that you are in config mode while configuring these commands and that you exit from the tunnel-group mode before configuring the next tunnel-group.

HTH,

Please rate if it helps.

Regards,

Kamal

kaachary · ‎03-13-2007

The PIX will not accept the command until you create the tunnel-group using :

tunnel-group abc type ipsec-ra

and then :

tunnel-group abc general-attirbutes

address-pool ippool

exit

-Kanishka

eronquillo · ‎03-15-2007

Ok, it is accepting the commands now. Thanks. Now, the next part. After implementing this, I cannot create a tunnel. Using Cisco's VPN 4.7 client, it would try to create a secure channel after entering the tunnel group and secret passphrase, and then disconnect. I can't figure out why this keeps happening. Could it have to do with the VPN settings not accepting different VPN subnets? I'm suspecting it could be ACLs or routing, but would like to find out if it could be VPN related.

eronquillo · ‎03-15-2007

It works! It works! After playing around with the IPsec Rules and the Group Policy, everything worked. Different VPN subnets were able to connect to the HQ LAN without as much as touching a static route! Thanks everyone for your help!! :-)

ixholla69 · ‎03-16-2007

I have another question on this... Say for instance you have someone trying to connect from home with 192.168.1.1 creating a VPN tunnel to their office network of which is also 192.168.1.1 could you in fact create a "Pool" that would change the home users IP address so that they could talk to the 192.168.1.1 addresses on the work network>?

eronquillo · ‎03-23-2007

To prevent any potential problems with same IPs, I changed the subnet at home to something that is completely different. I used a subnet of 192.168.20.0/24 on my home network, with the knowledge that my company's network is 192.168.0.0/24, while the other VPN tunnels are also on different subnets as well.