VPN IP Pool error

Unanswered Question
May 2nd, 2007

I just recently changed the IP pool for my VPN clients from class B to a class C.

I assinged 192.168.1.1-253 for the range.

I have a VPN client who is wireless and his netgear assigns him 192.168.1.2. He can validate on the VPN but cannot resolve names or IP's. I have other clients who have no issues.

Is it because his IP is the same net?

I also tried changing the IP pool to a different subnet. but then no one can connect.

what am I missing?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 05/02/2007 - 10:55

What device are we talking about? Post the config if you can.

edit: What prompted the change of subnet for vpn clients?

Could this user ever connect?

This could be a nat-traveresal problem, do you have this command in your pix? (i'm assuming this is a pix from your previous posts)

isakmp nat-traversal

brentwoodind Wed, 05/02/2007 - 11:52

I am talking about a PIX 506E.

we had an internal IP scheme that was a public address range (130.1.X.X). We changed it over this prior weekend to a private 172.16.X.X address range.

The original IP Pool for the VPN clients was 172.16.0.1-253. We decided to seperate them to avoid any confusion. Since the change no user has had an issue but this one . He has connected before, but with the old VPN IP Pool addresses.

I asked him for an Ip config/all and noticed that his NIc was the same IP as the cisco VPN, and thought that was the issue. I also relized that any other home user with a router/access point will probably have the same problem at some point due to the default settings of those devices. So I decided to change the IP for the pool to 192.168.99.1-253. But this did not allow anyone to connect. I cannot resolve names or IPs until the pool is set to 192.168.1.1-253.

I do not have that command in my PIX. I am not a very PIX savy person. since we rarely touch it except in occasions like this.

acomiskey Wed, 05/02/2007 - 11:58

First off, you are correct in making the vpn pool different from the inside network. They should never be the same.

Secondly, are you just changing the pool or are you also changing the associated crypto and nat exemption acl's. Once you change the pool, you must change the acl's to match the new subnet.

Lastly, adding "isakmp nat-traversal" will allow clients behind nat to connect to the pix. There is a great explanation here.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

brentwoodind Wed, 05/02/2007 - 13:29

I am using the PDM interface. I gather from other posts that this isnt the thing to use, but again I am very green when it comes to routers.

I did change the access rules to reflect the new IP pool. I also found under VPN tab - IPSec rules that the new IP pool was not in there. I have corrected this. I assume that this is the nat excemption acl you are speaking of?

I dont know where the crypto setting is?

I have no issue with any other users. Just this user who happens to have the same IP address as the IP pool. Is this causing the issue?

I will try changing the IP pool to another class C address and test VPN again. But I will look for the setting I missed.

brentwoodind Fri, 05/04/2007 - 09:16

VPN is working for this user. It was the IPSec rules needed to be updated with the new VPN group.

Than you for your assistance acomiskey.

Actions

This Discussion