08-10-2010 12:49 PM - edited 03-11-2019 11:23 AM
Hi,
I am facing an issue with remote access vpn.
VPN client pool assigned is 192.168.1.1 to 192.168.1.254
please refer the attached scenario
When i tried to connect using vpn client its connected but the lan networks are not accessible, what might be the reason,?
After vpn client connected to firewall i can see the ip as 192.168.1.1 with 192.168.1.2 as gateway,
should i do any policy ?please help
pix ver 7.2
Thanks,
KGP
08-10-2010 09:38 PM
Hello,
Can you please verify that you have nonat rules configured in the firewall?
access-list nonat permit ip any 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
Hope this helps.
Regards,
NT
08-10-2010 09:55 PM
Yes this rule is enabled!
But my question is pool is 192.168.1.x for the clients and my lan falls on 192.168.1.x. As far as firewall prespective it knows only 192.168.2.x as it is local,
once the client connects with pix, client got an ip 192.168.1.1 with gateway 192.168.1.2,
So do i have to give any security policy stating to permit between 192.168.1.x pool and 192.168.2.x local lan ?
if so how to give the policy,
any routing need to be added?
08-10-2010 10:00 PM
Hello,
All VPN traffic is treated as internal traffic. So, you do not need any
security rules to communicate with internal devices. One thing I am not
understanding is the "default gateway" you are getting. Who is the DHCP
server for the VPN clients? Which device has 192.168.1.2 (default gateway)
address? Typically, for Remote access VPN's, you do not need a default
gateway. The traffic hits the firewall automatically and then firewall will
route it. If you have a third-party dhcp server, can you remove the default
gateway option and see if that helps?
Regards,
NT
08-11-2010 01:50 AM
Yes dhcp is assigned from pix to windows client pool 192.168.1.1 to 1.254.
Once the client connects to PIX if i check my windows machine using ipconfig i can see 192.168.1.1 as machine ip and gateway as 192.168.1.2.
But my internal lan of PIX falls on different subnet 192.168.2.x ,
so only i doubt how my firewall know about pool ? any route needed, how the traffic coming from pool treated, is it inside traffic /outside once client connects,,,
08-11-2010 07:06 AM
Hello,
Can you please try the following commands:
vpn-addr-assign dhcp
no vpn-addr-assign aaa
no vpn-addr-assign local
group-policy attributes
dhcp-network-scope 192.168.1.0
http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a0080a66bc6.shtml
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide