01-14-2008 03:32 AM - edited 02-21-2020 03:28 PM
Dear All,
My vpn client is able to connect and get the ip address from the pool configured on vpn concentrator. But client is not able to ping the internal network that are inside the pix firewall.
concentrator is private interface connected with firewall dmz interface.
pix dmz ip 172.28.95.2
concentrator 172.28.95.95
remote access client ip: 172.28.37.x
I have configured the split tunneling for the follwing pix firewall networks on the conncentrator.
172.28.92.0/0.0.0.255
172.28.95.0/0.0.0.255
172.28.96.0/0.0.0.255
172.31.0.0/0.0.255.255
192.168.249.164/0.0.0.3
172.28.32.0/0.0.0.255
172.28.64.0/0.0.0.255
172.28.98.0/0.0.0.255
concentrator is able to reach all of the above networks without any problem.
But client is able to ping any of the above networks, except concentrator private interface.
static (inside,edn) 172.28.32.0 172.28.32.0 netmask 255.255.255.255
static (inside,edn) 172.28.92.0 172.28.92.0 netmask 255.255.255.255
static (inside,edn) 172.28.64.0 172.28.64.0 netmask 255.255.255.255
access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.32.0 255.255.255.0
access-list nonat extended permit ip 172.28.92.0 255.255.255.0 172.28.37.0 255.255.255.0
access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.37.0 255.255.255.0
access-list nonat extended permit ip 172.28.64.0 255.255.255.0 172.28.37.0 255.255.255.0
nat (inside) 0 access-list nonat
access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.32.0 255.255.255.0
access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.92.0 255.255.255.0
access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.64.0 255.255.255.0
route edn 172.28.37.0 255.255.255.0 172.28.95.95 1
01-18-2008 12:33 AM
Greetings,
I'm a little unclear about your problem as the sentences:
>concentrator is able to reach all of the >above networks without any problem.
>But client is able to ping any of the above >networks, except concentrator private >interface.
I think that you might mean NONE of the above networks.
I encountered a similar situation that I resolved by enabling nat-traversal on the device that is providing VPN access. You have not stated what these devices are, so I can't offer specifics. Make sure that isakmp is enabled for the Nat Traversal to function.
-Johan
01-18-2008 01:02 AM
Sorry for typing the wrong sentence. Client was not able to ping above networks. But now client can reach. I didnt nothing, it suddendly started working fine with the old configuration. I am using cisco vpn concentrator that has private interface connected with dmz of pix firewall. Please tell me still i need to unable it.
Thanks for the reply.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: