IPSec VPN clients to PIX 7.x - addressing conflict

Unanswered Question
Apr 9th, 2010

Client behind a PAT home router, with local address in 192.168.1.0/24.

Servers in 192.168.1.0/24 behind PIX firewall.

Client uses VPN client to connect to PIX firewall, is assigned IP from 172.31.1.0/24 pool.

Client cannot access servers in 192.168.1.0/24 subnet, but can other subnets behind PIX.

Split tunneling is setup.

Users don't have skill to change home network. Major outage to re-address the servers.

Is there any configuration change on the PIX to fix this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 04/09/2010 - 12:34

Hi,

In this scenario seems that the better way would be to NAT the internal LAN 192.168.1.0/24 where the servers reside on the PIX to a different network for the VPN clients.

The problem is that when the VPN clients try to access the local LAN through the tunnel, the traffic remain locally.

So, you can configure NAT on the PIX to translate the local LAN, and it this way the VPN clients will reach the subnet with a different addressing.

Federico.

mitchrussell42 Mon, 04/12/2010 - 07:54

I tried a policy NAT, but it wouldn't fire. The VPN terminates on our only PIX firewall. The issue is that NAT is associated with an interface. The untunneled VPN traffic is not arriving on any of the interfaces available to the NAT command, it just "appears" on the PIX traffic stream.

So, we are probably going to use this issue to justify Citrix for our application.

We have been able to work with our consultants to change their home networks to not conflict with the servers.

Federico Coto F... Mon, 04/12/2010 - 07:56

Anyway, the VPN is also associated with an interface on the PIX.

In this way, is a matter of checking the Policy NAT configuration and that is correctly applied for the VPN traffic.

I've done this before and it works.

Federico.

Actions

This Discussion