Routing local addresspool for IPsec issue on PIX506E

Answered Question
Apr 5th, 2009

My internal networks are 192.168.2.0/24 and 192.168.4.0/24 and are behind a 2811 router. Between 2811 and PIX I use network 10.10.10.8/30. Now I want to use some 192.168.5.0 addresses for a remote access pool, defined on the PIX. When I connect with Cisco VNP client (192.168.5.1) the tunnel comes up but I'm not able to access my internal network. Does anyone know what's wrong?

Correct Answer by JamesLuther about 7 years 10 months ago

Hi,


Perhaps it is to do with NAT? Try adding the following on the PIX


isakmp nat-traversal


Is this a new client VPN setup or is it a change to an existing setup? Have you tried running some debug or packet capture on the PIX to see what is happening? Are the packets arriving at the PIX in the first place?




Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JamesLuther Mon, 04/06/2009 - 00:31

Hi,


Maybe a bit obvious, but do you have a route for the 192.168.5.0/24 network on the 2811 router pointing towards the PIX or is this covered by a default route?


If you post your config of the PIX and 2811 then it may help.



regards

Correct Answer
JamesLuther Mon, 04/06/2009 - 02:14

Hi,


Perhaps it is to do with NAT? Try adding the following on the PIX


isakmp nat-traversal


Is this a new client VPN setup or is it a change to an existing setup? Have you tried running some debug or packet capture on the PIX to see what is happening? Are the packets arriving at the PIX in the first place?




Regards

pverstegen Wed, 04/08/2009 - 10:44

Hi, seems that command did the trick. Thanks...

I'm now able to get into the network and reach all machines. The only challenge

there is right now is to get my incoming ACS downloadable ACL working. Maybe you are experienced with this combination: PIX605E 6.3(5) - ACS 4.1(1) Build 23 Patch 5. This is my list:

permit ip host 192.168.4.200 any

deny ip any any

I'm still able to ping other machines in subnet 4 from source address 192.168.5.1

Do you have an idea?

Regards, Peter

JamesLuther Wed, 04/08/2009 - 23:45

Hi,


Thanks for the rating. Sorry I'm not sure about the downloadable ACL. However I did see this after a quick search


http://supportwiki.cisco.com/ViewWiki/index.php/Downloadable_ACLs_configured_on_the_Cisco_Secure_ACS_version_4.0_for_Windows_are_unable_to_restrict_access_for_Cisco_VPN_Clients_that_terminate_on_the_PIX_Firewall


You will probably get more responses if you post this as a new question (as this thread is marked solved).



Regards

Actions

This Discussion