Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
5
Replies

Can PPTP IP pool be on the same subnet of PIX's inside?

netcraftjason
Level 1
Level 1

‎05-07-2007 07:59 PM - edited ‎02-21-2020 01:30 AM

Hi All,

For example, there is a PIX firewall with 161.161.254.29 as outside interface's IP and 10.6.10.230 as inside interface's IP. And this PIX is holding an PPTP configuration which enabled on outside interface. Because the PPTP clients must be assigned an IP local pool, can the IP range of this local pool be on the same subnet of the inside interface? For example, the IP pool is 10.6.10.231-10.6.10.235. Is this possible? These PPTP client will only access 10.6.10.0/24 subnet. No next hop subnet exists in PIX "inside" subnet.

Thanks!

Jason,

Best regard

0 Helpful
5 Replies 5

mfreijser
Level 1
Level 1

‎05-08-2007 12:33 AM

Yes, you can specify a local pool that overlaps with the inside network, but it is advisable to use another pool for the PPTP clients. That way you can differentiate more easily between the clients and the internal network. Even the use of future access-list is easier with a different subnet.

You can find more information about configuring PPTP on a Pix in the following document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

PLease rate if the post helps!

Regards,

Michael

0 Helpful

netcraftjason
Level 1
Level 1
In response to mfreijser

‎05-08-2007 06:56 PM

Hi Michael,

Thanks for your reply!

Can the user in IP range 10.6.10.0/24 access the users in this IP pool? Actually, there are some IP Phone exist in 10.6.10.0 network. So can these IP phones access the IP phones which in IP pool? Thank you for your help!

Jason,

Best Regard

0 Helpful

mfreijser
Level 1
Level 1
In response to netcraftjason

‎05-08-2007 11:21 PM

They can communicate with eachother, if you set the Pix as the default gateway or if you make sure the routing in the rest of the network is in order (the last thing only applies to bigger networks with multiple 'exits' like two internetconnections).

The Pix makes sure that there will be communications between the 'virtual' pool and the real inside network :)

Regards,

Michael

0 Helpful

andrew100
Level 1
Level 1
In response to mfreijser

‎05-09-2007 09:00 AM

Hi,

If possible, it is sometimes advised to stay away from this. The pix has to proxy arp on behalf of all the external hosts on the inside interface and I have had issues with this on some versions of code when lots of clients are connected. If the pix is the default gateway on the LAN you're connecting to, it doesn't matter what pool you use. If it isn't, then adding a persistent route onto the servers that external users are accessing, pointing back to the pix, can sometimes be more stable.

No big deal, just something to be aware of!

Thanks :-)

Andy

0 Helpful

netcraftjason
Level 1
Level 1
In response to andrew100

‎05-09-2007 05:05 PM

Hi Andy,

Does 6.3(4) version have the issue you informed? Thanks for you help!

Jason,

Best Regard

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card