05-07-2007 07:59 PM - edited 02-21-2020 01:30 AM
Hi All,
For example, there is a PIX firewall with 161.161.254.29 as outside interface's IP and 10.6.10.230 as inside interface's IP. And this PIX is holding an PPTP configuration which enabled on outside interface. Because the PPTP clients must be assigned an IP local pool, can the IP range of this local pool be on the same subnet of the inside interface? For example, the IP pool is 10.6.10.231-10.6.10.235. Is this possible? These PPTP client will only access 10.6.10.0/24 subnet. No next hop subnet exists in PIX "inside" subnet.
Thanks!
Jason,
Best regard
05-08-2007 12:33 AM
Yes, you can specify a local pool that overlaps with the inside network, but it is advisable to use another pool for the PPTP clients. That way you can differentiate more easily between the clients and the internal network. Even the use of future access-list is easier with a different subnet.
You can find more information about configuring PPTP on a Pix in the following document:
PLease rate if the post helps!
Regards,
Michael
05-08-2007 06:56 PM
Hi Michael,
Thanks for your reply!
Can the user in IP range 10.6.10.0/24 access the users in this IP pool? Actually, there are some IP Phone exist in 10.6.10.0 network. So can these IP phones access the IP phones which in IP pool? Thank you for your help!
Jason,
Best Regard
05-08-2007 11:21 PM
They can communicate with eachother, if you set the Pix as the default gateway or if you make sure the routing in the rest of the network is in order (the last thing only applies to bigger networks with multiple 'exits' like two internetconnections).
The Pix makes sure that there will be communications between the 'virtual' pool and the real inside network :)
Regards,
Michael
05-09-2007 09:00 AM
Hi,
If possible, it is sometimes advised to stay away from this. The pix has to proxy arp on behalf of all the external hosts on the inside interface and I have had issues with this on some versions of code when lots of clients are connected. If the pix is the default gateway on the LAN you're connecting to, it doesn't matter what pool you use. If it isn't, then adding a persistent route onto the servers that external users are accessing, pointing back to the pix, can sometimes be more stable.
No big deal, just something to be aware of!
Thanks :-)
Andy
05-09-2007 05:05 PM
Hi Andy,
Does 6.3(4) version have the issue you informed? Thanks for you help!
Jason,
Best Regard
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide