the ip inside is there from - Page 2

Mohd Khairul Nizam · ‎06-10-2014

Hi,

I need the VPN client IP pool to be able to access one of the server in the LAN.

The IP pool is 172.19.100.101~105 but the server is different range 172.59.1.10.

From the below config, is there any configuration that i need to add or delete to be able to access the server.

Actually, i already try to create static route, create new ip pool but still unable to access.

Hope, anybody can help.

====================================================================

I'm using PIX515

PIX Version 6.3(1)

access-list outside_access_in permit ip 172.19.100.96 255.255.255.240 interface inside
access-list outside_access_in permit tcp any host 172.19.100.20 eq https
access-list inside_outbound_nat0_acl permit ip any 172.19.100.96 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any host 172.59.1.1
access-list inside_outbound_nat0_acl permit ip host 172.19.100.64 host 192.168.1.2
access-list outside_cryptomap_dyn_20 permit ip any 172.19.100.96 255.255.255.240
access-list outside_cryptomap_20 permit ip host 172.19.100.64 host 192.168.1.2

ip address outside 203.x.x.27 255.255.255.248
ip address inside 172.19.100.20 255.0.0.0
no ip address intf2

ip local pool klccippool 172.19.100.101-172.19.100.105

global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.19.100.20 172.19.100.20 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.x.x.25 1

vpngroup KLCCVPN address-pool klccippool
vpngroup KLCCVPN dns-server 203.x.x.25 203.x.x.24
vpngroup KLCCVPN idle-time 1800
vpngroup KLCCVPN password ********

: end

Rahul Kumar Mishra · ‎06-12-2014

Why have you configured /8 network on our firewall interface?

ip address inside 172.19.100.20 255.0.0.0.

also can you share inside static routes of Pix and static routes of core switch?

Mohd Khairul Nizam · ‎06-12-2014

the ip inside is there from the 1st setup. i also just figured it out. maybe i can change it.

by the way pls see below

pix=========================================

global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 203.x.x.28 Linux_File_Srv netmask 255.255.255.255 0 0
static (inside,outside) 203.x.x.29 Database_Srv netmask 255.255.255.255 0 0
static (inside,outside) 203.x.x.30 172.19.100.17 netmask 255.255.255.255 0 0
static (inside,outside) 203.x.x.26 172.19.100.64 netmask 255.255.255.255 0 0
static (inside,outside) 172.19.100.20 172.19.100.20 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.x.x.25 1
timeout xlate 3:00:00

core sw===================================

L2_SW_2970#show access-lists

Standard IP access list 1
10 permit 172.9.100.0, wildcard bits 0.0.0.255
20 permit 172.19.100.0, wildcard bits 0.0.0.255 (2 matches)

Rahul Kumar Mishra · ‎06-12-2014

You have a core switch mentioned in diagram. can you please share static route details of that switch?

Mohd Khairul Nizam · ‎06-12-2014

the 2970 is the core sw, and it doesn't have routing

Rahul Kumar Mishra · ‎06-12-2014

Oops. First of all any switch which can not do routing is not a core switch at all.

What is happening here, you have connected your Pix firewall with 2970 switch and therefore you are only able to ping 172.19.100.x servers because your firewall too has same range of IP address (As well as same vlan) and not able to connect with 172.59.x.x range because it's in different vlan...Here what you can do is to check if you have interfaces available on router because here your router is doing interevlan routing. Just connect the PIx with Router's spare interface. Create a /32 subnet between pix and router, change inside IP of Pix with this new IP. Add static route on Pix as-

route inside 172.59.0.0 255.255.0.0 <router's IP>.

On router add specific static routes for VPN pool with Pix inside Interface as gateway.

This will solve all your problem.

Rahul Kumar Mishra · ‎06-12-2014

other solution is to create trunking between pix and 2970switch, but it will be more complex in terms of configuration on pix.

Mohd Khairul Nizam · ‎06-13-2014

Hi Rahul,

Thanks for ur reply.

There is no extra port on router and by the way the physical connection must be remain.

you also correct in the sense that the router is doing the interVLAN routing.

Rahul Kumar Mishra · ‎06-13-2014

Can you share interface configuration of router which is connected with cisco 2970 switch. You need to change subnet mask of pix interface also you have to add inside static route with gateway of router's interface IP connected with Switch.

VPN client want to access different IP range