VPN Client not connecting to the branch office

ksarin · ‎03-12-2007

Hello folks -

We have a Cisco PIX 515E (6.3) that users VPN into. The PIX is at our main site, and we have 2 branch sites connected to the main site via point-2-point leased lines. Our main site address is 10.0.0./24, and one of our branch sites address is 10.2.2.0/24. When users VPN into the PIX, they can connect to everything at the main site but nothing at the branch site. There is a static route configured on the PIX on how to get to the branch site.

Any ideas on how to get this resolved?

Thanks!

Kamal Malhotra · ‎03-13-2007

Hi,

If I have understood correctly then you want a VPN client to connect to the main site and then be able to access the main site as well as remote site. Probably what you are missing is a route for the VPN client pool on the remote site. Please also check the nat bypass settings on the remote site device. If it does not resolve your problem then please send me the running config of both the PIX at the main site and the device at the remote sitec (if its a Cisco device). I would also appreciate if you can send a topology diagram.

HTH,

*Please rate if it helps,

Regards,

Kamal

ksarin · ‎03-13-2007

Hi Kamal -

I am attaching the config file for the PIX and the router at the branch site.

I still can't figure out why VPn clients are unable to connect to the branch office. I read somewhere that PIX will not let you send and receive traffic on the same interface unless you upgrade to version 7. Is this true?

kaachary · ‎03-14-2007

Yes, that's correct. PIX running 6.x code is not able to redirect traffic on any of its interface.

You might have to upgrade the code to 7.X.

-Kanishka

Kamal Malhotra · ‎03-14-2007

Hi,

To my understanding, the router does not have a VPN tunnel to the outside interface of the PIX. Rather it is reachable via the inside interface of the PIX. something like :

Client----Internet---PIX---router---a network

What we are experiencing is routing issue. If my understanding is correct then issue the following commands on the PIX and then try to connect the client to the PIX and access :

access-list SplTunnel permit ip 10.0.0.0 255.0.0.0 172.16.100.0 any

access-list NoNat permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

HTH,

*Please rate if it helps,

Regards,

Kamal

ksarin · ‎03-14-2007

Hi Kamal -

Entering the commands specified did not resolve the issue. Do i really have to upgrade to 7.0 to resolve this issue?

Any more ideas??

kaachary · ‎03-15-2007

Hi,

The setup is possible without upgrade, as you are not u-turning the traffic from the same interface.

First of all, I couldn't find any route on the PIX to reach 10.2.2.0/24.

route inside 10.2.2.0 255.255.255.0 10.0.0.9

Also, I guess there's a another router connected to the PIX inside interface. THe router's ip might be 10.0.0.9.

You need to put following routes on this router:

ip route 172.16.100.0 255.255.255.0 10.0.0.1

Also, the split tunnel ACL and nonat ACL would look like this :

access-list SplTunnel permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

access-list NoNat permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

That should do it !

*Please rate if helped.

-Kanishka

soklamarhy · ‎03-16-2007

I am having this very similar issue with our network. I have Pix ver. 6.3(5). My VPN clients cannot access ping the router to access the remote site which is 10.121.2.2

I have the line access-list splittunnel permit ip host 10.121.27.100 host 10.121.2.2

nonat permit

everyone inside the firewall are able to ping 10.121.2.2

any thoughts why VPN clients aren't able to ping 10.121.2.2? which is the router to access the branch site.