cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
988
Views
0
Helpful
22
Replies

VPN client want to access different IP range

Hi,

I need the VPN client IP pool to be able to access one of the server in the LAN.

The IP pool is 172.19.100.101~105 but the server is different range 172.59.1.10.

From the below config, is there any configuration that i need to add or delete to be able to access the server.

Actually, i already try to create static route, create new ip pool but still unable to access.

Hope, anybody can help.

====================================================================

I'm using PIX515

PIX Version 6.3(1)

access-list outside_access_in permit ip 172.19.100.96 255.255.255.240 interface inside 
access-list outside_access_in permit tcp any host 172.19.100.20 eq https 
access-list inside_outbound_nat0_acl permit ip any 172.19.100.96 255.255.255.240 
access-list inside_outbound_nat0_acl permit ip any host 172.59.1.1 
access-list inside_outbound_nat0_acl permit ip host 172.19.100.64 host 192.168.1.2 
access-list outside_cryptomap_dyn_20 permit ip any 172.19.100.96 255.255.255.240 
access-list outside_cryptomap_20 permit ip host 172.19.100.64 host 192.168.1.2 

ip address outside 203.x.x.27 255.255.255.248
ip address inside 172.19.100.20 255.0.0.0
no ip address intf2

ip local pool klccippool 172.19.100.101-172.19.100.105

global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.19.100.20 172.19.100.20 netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.x.x.25 1

vpngroup KLCCVPN address-pool klccippool
vpngroup KLCCVPN dns-server 203.x.x.25 203.x.x.24
vpngroup KLCCVPN idle-time 1800
vpngroup KLCCVPN password ********

: end

 

22 Replies 22

nkarthikeyan
Level 7
Level 7

Could you please explain how the server zone is connected to the VPN Firewall???

Regards

Karthik

Hi Karthik,

Thanks for ur respone,

Attached is the pic.

VPN client can connect with 172.19.100.x Server, but not 172.59.1.10.

I just want existing IP pool to connect to 172.59.1.10

Hi Khazirul,

 

Here you have both the server and LAN connected to the same switch with a different VLAN right???

 

Do you have the rule permitted for the VPN pool to the server in VPN/Crypto ACL??? Because whatever you have allowed and routed will reflect in VPN connection....

 

Also if you have the core switch which does the routing towards LAN then you may need to advertise the VPN pool route in to your LAN.

 

I am not pretty sure whether am correct or not in your scenario. I am expaling with what i understood from the design.

 

Hope this helps

 

Regards

Karthik

Also 172.59.x.x seems to be the public IP range.... It cannot be treated as an private zone range...

 

Regards

Karthik

Until you have the subnet reachability of your VPN pool in LAN. You will not be able to reach the server.

r u able to reach the server from the VPN firewall???

 

Regards

Karthik

no, 

from the firewall i couldn't ping to the server 172.59.1.10

Then you do not have the proper configurations in place to reach the server. It needs to be corrected in infra as well as from fw end. For a testing can bring the server in to 172.16.x.x subnet range and check the access

 

Hope this helps

Regards

Karthik

Hi,

 

Also when you connect to VPN and if you give route print... you will not able to see the 172.59.x.x on to it. If that takes the default route path of your local gateway ... i.e client machines internet gateway..... it will go and hit over the internet since that is a public IP. Either way it will not work.

Best way is to move that server under private range 172.16.x.x to solve this issue.

 

Regards

Karthik

Hi

Yes, you are correct, each port is access port with different VLAN. 

That what Im wondering, what rule should i included for the VPN pool to allowed and routed to 172.59.1.10/24.

By the way 172.59.1.10 is private IP in my local LAN.

The core switch doesn't do routing for the VPN pool

Not sure about PIX cli but seems you have to add subnet mask (255.255.255.0) for ippool information in vpngroup configuration, because 172.19.100.x range is being treated as 172.19.0.0/16 and therefore your server 172.19.100.x is able to connect with vpn users.

Please make this change and let me know the result.

Hi Rahul,

I change the ippool to 172.0.0.1 - 172.0.0.5 but still can' access the 172.59.1.10 server

Hi Khairul,

If you change IP pool with 172.0.0.1 to 172.0.0.5, since it's a class B subnet it will be assumed as 172.0.0.0/16. If you can't get subnet mask option when configuring vpn profile then use a class A IP pool range say 10.0.0.1 to 10.0.0.100..I am sure this will work.
 

But in this scenario all you servers must be in subnet of 10.0.0.0

Hi Rahul,

Thanks for ur reply but that doesn't make sense to change the LAN server to different IP range

I'm pretty sure something to do with routing or policies but i just don't know where to change.

your comment is much appreciated

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: