VPN Client Pool

Unanswered Question
Jan 15th, 2008
User Badges:

When configuring VPN client access on a cisco PIX using an IP Pool, how is the designated IP pool (eg 192.168.1.0) allowed access to the internal LAN (eg 10.101.1.0?


Is this NAT'd by the PIX and allowed through? What routing is performed to allow this? Are any access-lists required?


Or is the routing automatic as the PIX is aware of the necessary networks?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jason Gervia Tue, 01/15/2008 - 05:23
User Badges:
  • Cisco Employee,

Hello,


Unless you have nat configured going from your inside to your outside interface, the pool IP addresses should be able to access the internal network without NAT. Their next hop is the firewall, and if the firewall knows how to route to the rest of the network, you are fine.


If you do have a nat0 - you will want to put a statement in your nat0 access-list (or create one) saying anything going to the pool addresses doesn't need to be translated.


The only caveat is that the rest of your network needds to know where the pool resides - when a packet gets to those internal devices, do they know how to route the source address back to the ASA? That catches a lot of people


--Jason

Actions

This Discussion