IPSec VPN clients to PIX 7.x - addressing conflict

Unanswered Question
Apr 9th, 2010
User Badges:

Client behind a PAT home router, with local address in

Servers in behind PIX firewall.

Client uses VPN client to connect to PIX firewall, is assigned IP from pool.

Client cannot access servers in subnet, but can other subnets behind PIX.

Split tunneling is setup.

Users don't have skill to change home network. Major outage to re-address the servers.

Is there any configuration change on the PIX to fix this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Fri, 04/09/2010 - 12:34
User Badges:
  • Green, 3000 points or more


In this scenario seems that the better way would be to NAT the internal LAN where the servers reside on the PIX to a different network for the VPN clients.

The problem is that when the VPN clients try to access the local LAN through the tunnel, the traffic remain locally.

So, you can configure NAT on the PIX to translate the local LAN, and it this way the VPN clients will reach the subnet with a different addressing.


mitchrussell42 Mon, 04/12/2010 - 07:54
User Badges:

I tried a policy NAT, but it wouldn't fire. The VPN terminates on our only PIX firewall. The issue is that NAT is associated with an interface. The untunneled VPN traffic is not arriving on any of the interfaces available to the NAT command, it just "appears" on the PIX traffic stream.

So, we are probably going to use this issue to justify Citrix for our application.

We have been able to work with our consultants to change their home networks to not conflict with the servers.

Federico Coto F... Mon, 04/12/2010 - 07:56
User Badges:
  • Green, 3000 points or more

Anyway, the VPN is also associated with an interface on the PIX.

In this way, is a matter of checking the Policy NAT configuration and that is correctly applied for the VPN traffic.

I've done this before and it works.



This Discussion

Related Content