cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
752
Views
0
Helpful
8
Replies

Unable to acces network after login into VPN Concentrator

sivajipit
Level 1
Level 1

Hi,

I have Cisco VPN 3000 concentrator and PIX 513 6.3 version firewall in my network. Now i want to give remote access for clients through VPN concentrator.They can able to login into van concentrator using client software but not able to access locan lan which behind pix.

pix firewall inside :10.91.40.100

concentrator inside :10.91.40.222

please help on this.

regards

Sivaji.P

8 Replies 8

ggilbert
Cisco Employee
Cisco Employee

Hi Sivaji,

This is a design/routing issue that needs to be taken into consideration. Can you please tell me if you have a DMZ interface on the PIX or not?

If all your resources or on the inside of the PIX like the VPN concentrator is, then their default gateway would be the inside of the PIX, I suppose....right?

IF that is the case, PIX will not redirect the packet on the interface it received the packet (6.3 version of code or less).

Where is the concentrator inside interface plugged into?

What is the IP Address assignment for the VPN clients?

Cheers

Gilbert

Hi Gilbert,

Thanks For your reply.

We dont have DMZ interface on Pix.Here pix inside ipadress 10.91.40.100 and concentrator ipaddress 10.91.40.222 both are teminated in same switch. Local lan also terminated in same switch. For all local lan users pix is the gateway .

In pix firewall site to site VPN configured for remote branch offices.Now we want give remote access for our clients through VPN concentrator.I configured 10.91.30.0 pool in Concentrator and added access-list for that pool in Pix firewall. So remote useres getting the ip address from concentrator but they unable to connect local lan network. Please find attached pix firewall configuration.

So please help me on this. Waiting for your reply.

Regards

Sivaji.P

Sivaji,

This is a design problem.

Reason:

a. PIX will not re-direct a packet to an interface that it arrived on.

eg: IF the packet arrived on the inside interface, it will not be re-directed to the inside interface itself. This is valid till 6.3 version of code on the PIX firewalls.

What is the version of code you are running on the PIX?

b. Since all your internal networks would be pointing to the PIX as the default gateway, when a packet destined for the VPN pool 10.91.30.0 arrives to the PC, it will be sent to the PIX. The PIX will drop the packet after that, since it will not re-direct packet back to the concentrator on the inside interface, it is because of Reason (a).

c. If it is a small internal network, you can add a route on each and every machine for the 10.91.30.0 network pointing to the concentrator IP address.

Would that be possible?

d. Or get rid of the concentrator and use the PIX for terminating VPN client connections along with the Lan to Lan connections.

Rate this post, if it helps.

Cheers

Gilbert

Hi,

Thanks for ur help.

Could please guide me how add route for each machine pointing to the concentrator IP address.

Or

Please help me how to give VPN access from pixfirewall to remote clients.

For how many users it is possible to give remote access through Pix ?

Regards

Sivaji.P

Sivaji,

Section A: To add a route on a PC.

route ADD MASK -p

-p --> keyword will keep the route added even after you reboot the system.

Section B:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

PIX 515E can handle upto 2000 VPN tunnels.

Rate this post, if it helps.

Cheers

Gilbert

Hi Gilbert,

I just configured VPN Client on pix firewall using the link which you provide.so i can able to connect to pix from out side but i am nat able to acces local network. I request you to Please find the below configuration and help me on this.

Thanks & Regards

Sivaji.P

Hi Sivaji,

Where you able to get this fixed. I am sorry for not responding earlier. Was out for couple of weeks.

Thanks

Gilbert

hi Gilbert,

Sorry for the late reply. I resolved the issue its problem with only routing.

Thanks for ur support

Regards

Sivaji.p

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: