Unable to acces network after login into VPN Concentrator

Unanswered Question
Apr 9th, 2007
User Badges:

Hi,


I have Cisco VPN 3000 concentrator and PIX 513 6.3 version firewall in my network. Now i want to give remote access for clients through VPN concentrator.They can able to login into van concentrator using client software but not able to access locan lan which behind pix.


pix firewall inside :10.91.40.100

concentrator inside :10.91.40.222


please help on this.


regards

Sivaji.P


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Mon, 04/09/2007 - 10:06
User Badges:
  • Cisco Employee,

Hi Sivaji,


This is a design/routing issue that needs to be taken into consideration. Can you please tell me if you have a DMZ interface on the PIX or not?


If all your resources or on the inside of the PIX like the VPN concentrator is, then their default gateway would be the inside of the PIX, I suppose....right?


IF that is the case, PIX will not redirect the packet on the interface it received the packet (6.3 version of code or less).


Where is the concentrator inside interface plugged into?


What is the IP Address assignment for the VPN clients?


Cheers

Gilbert

sivajipit Tue, 04/10/2007 - 01:47
User Badges:

Hi Gilbert,


Thanks For your reply.


We dont have DMZ interface on Pix.Here pix inside ipadress 10.91.40.100 and concentrator ipaddress 10.91.40.222 both are teminated in same switch. Local lan also terminated in same switch. For all local lan users pix is the gateway .

In pix firewall site to site VPN configured for remote branch offices.Now we want give remote access for our clients through VPN concentrator.I configured 10.91.30.0 pool in Concentrator and added access-list for that pool in Pix firewall. So remote useres getting the ip address from concentrator but they unable to connect local lan network. Please find attached pix firewall configuration.




So please help me on this. Waiting for your reply.



Regards

Sivaji.P




Attachment: 
ggilbert Tue, 04/10/2007 - 06:25
User Badges:
  • Cisco Employee,

Sivaji,


This is a design problem.


Reason:


a. PIX will not re-direct a packet to an interface that it arrived on.


eg: IF the packet arrived on the inside interface, it will not be re-directed to the inside interface itself. This is valid till 6.3 version of code on the PIX firewalls.


What is the version of code you are running on the PIX?



b. Since all your internal networks would be pointing to the PIX as the default gateway, when a packet destined for the VPN pool 10.91.30.0 arrives to the PC, it will be sent to the PIX. The PIX will drop the packet after that, since it will not re-direct packet back to the concentrator on the inside interface, it is because of Reason (a).


c. If it is a small internal network, you can add a route on each and every machine for the 10.91.30.0 network pointing to the concentrator IP address.


Would that be possible?


d. Or get rid of the concentrator and use the PIX for terminating VPN client connections along with the Lan to Lan connections.


Rate this post, if it helps.

Cheers

Gilbert

sivajipit Tue, 04/10/2007 - 23:11
User Badges:

Hi,


Thanks for ur help.


Could please guide me how add route for each machine pointing to the concentrator IP address.


Or


Please help me how to give VPN access from pixfirewall to remote clients.


For how many users it is possible to give remote access through Pix ?




Regards


Sivaji.P


sivajipit Fri, 04/20/2007 - 00:53
User Badges:

Hi Gilbert,



I just configured VPN Client on pix firewall using the link which you provide.so i can able to connect to pix from out side but i am nat able to acces local network. I request you to Please find the below configuration and help me on this.


Thanks & Regards

Sivaji.P








Attachment: 
ggilbert Mon, 05/07/2007 - 07:53
User Badges:
  • Cisco Employee,

Hi Sivaji,


Where you able to get this fixed. I am sorry for not responding earlier. Was out for couple of weeks.


Thanks

Gilbert

sivajipit Sun, 01/06/2008 - 23:03
User Badges:

hi Gilbert,


Sorry for the late reply. I resolved the issue its problem with only routing.


Thanks for ur support


Regards

Sivaji.p

Actions

This Discussion