cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
836
Views
0
Helpful
3
Replies

IPSec VPN clients to PIX 7.x - addressing conflict

mitchrussell42
Level 1
Level 1

Client behind a PAT home router, with local address in 192.168.1.0/24.

Servers in 192.168.1.0/24 behind PIX firewall.

Client uses VPN client to connect to PIX firewall, is assigned IP from 172.31.1.0/24 pool.

Client cannot access servers in 192.168.1.0/24 subnet, but can other subnets behind PIX.

Split tunneling is setup.

Users don't have skill to change home network. Major outage to re-address the servers.

Is there any configuration change on the PIX to fix this?

3 Replies 3

Hi,

In this scenario seems that the better way would be to NAT the internal LAN 192.168.1.0/24 where the servers reside on the PIX to a different network for the VPN clients.

The problem is that when the VPN clients try to access the local LAN through the tunnel, the traffic remain locally.

So, you can configure NAT on the PIX to translate the local LAN, and it this way the VPN clients will reach the subnet with a different addressing.

Federico.

I tried a policy NAT, but it wouldn't fire. The VPN terminates on our only PIX firewall. The issue is that NAT is associated with an interface. The untunneled VPN traffic is not arriving on any of the interfaces available to the NAT command, it just "appears" on the PIX traffic stream.

So, we are probably going to use this issue to justify Citrix for our application.

We have been able to work with our consultants to change their home networks to not conflict with the servers.

Anyway, the VPN is also associated with an interface on the PIX.

In this way, is a matter of checking the Policy NAT configuration and that is correctly applied for the VPN traffic.

I've done this before and it works.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: