Can PPTP IP pool be on the same subnet of PIX's inside?

Unanswered Question
May 7th, 2007
User Badges:

Hi All,

For example, there is a PIX firewall with 161.161.254.29 as outside interface's IP and 10.6.10.230 as inside interface's IP. And this PIX is holding an PPTP configuration which enabled on outside interface. Because the PPTP clients must be assigned an IP local pool, can the IP range of this local pool be on the same subnet of the inside interface? For example, the IP pool is 10.6.10.231-10.6.10.235. Is this possible? These PPTP client will only access 10.6.10.0/24 subnet. No next hop subnet exists in PIX "inside" subnet.

Thanks!


Jason,

Best regard

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mfreijser Tue, 05/08/2007 - 00:33
User Badges:
  • Bronze, 100 points or more

Yes, you can specify a local pool that overlaps with the inside network, but it is advisable to use another pool for the PPTP clients. That way you can differentiate more easily between the clients and the internal network. Even the use of future access-list is easier with a different subnet.


You can find more information about configuring PPTP on a Pix in the following document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml


PLease rate if the post helps!


Regards,


Michael

netcraftjason Tue, 05/08/2007 - 18:56
User Badges:

Hi Michael,

Thanks for your reply!


Can the user in IP range 10.6.10.0/24 access the users in this IP pool? Actually, there are some IP Phone exist in 10.6.10.0 network. So can these IP phones access the IP phones which in IP pool? Thank you for your help!


Jason,

Best Regard

mfreijser Tue, 05/08/2007 - 23:21
User Badges:
  • Bronze, 100 points or more

They can communicate with eachother, if you set the Pix as the default gateway or if you make sure the routing in the rest of the network is in order (the last thing only applies to bigger networks with multiple 'exits' like two internetconnections).


The Pix makes sure that there will be communications between the 'virtual' pool and the real inside network :)


Regards,


Michael

andrew100 Wed, 05/09/2007 - 09:00
User Badges:

Hi,


If possible, it is sometimes advised to stay away from this. The pix has to proxy arp on behalf of all the external hosts on the inside interface and I have had issues with this on some versions of code when lots of clients are connected. If the pix is the default gateway on the LAN you're connecting to, it doesn't matter what pool you use. If it isn't, then adding a persistent route onto the servers that external users are accessing, pointing back to the pix, can sometimes be more stable.


No big deal, just something to be aware of!


Thanks :-)


Andy

netcraftjason Wed, 05/09/2007 - 17:05
User Badges:

Hi Andy,

Does 6.3(4) version have the issue you informed? Thanks for you help!


Jason,

Best Regard

Actions

This Discussion