Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN Remote Access Problem

Hi,
I am facing an issue with remote access vpn.
VPN client pool assigned is 192.168.1.1 to 192.168.1.254
please refer the attached scenario
When i tried to connect using vpn client its connected but the lan networks are not accessible, what might be the reason,?
After vpn client connected to firewall i can see the ip as 192.168.1.1 with 192.168.1.2 as gateway,
should i do any policy ?please help
pix ver 7.2

Thanks,
KGP

5 REPLIES
Cisco Employee

Re: VPN Remote Access Problem

Hello,

Can you please verify that you have nonat rules configured in the firewall?

access-list nonat permit ip any 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

Hope this helps.

Regards,

NT

Community Member

Re: VPN Remote Access Problem

Yes this rule is enabled!

But my question is pool is 192.168.1.x for the clients and my lan falls on 192.168.1.x. As far as firewall prespective it knows only 192.168.2.x as it is local,

once the client connects with pix, client got an ip 192.168.1.1 with gateway 192.168.1.2,

So do i have to give any security policy stating to permit between 192.168.1.x pool and 192.168.2.x local lan ?

if so how to give the policy,

any routing need to be added?

Cisco Employee

Re: VPN Remote Access Problem

Hello,

All VPN traffic is treated as internal traffic. So, you do not need any

security rules to communicate with internal devices. One thing I am not

understanding is the "default gateway" you are getting. Who is the DHCP

server for the VPN clients? Which device has 192.168.1.2 (default gateway)

address? Typically, for Remote access VPN's, you do not need a default

gateway. The traffic hits the firewall automatically and then firewall will

route it. If you have a third-party dhcp server, can you remove the default

gateway option and see if that helps?

Regards,

NT

Community Member

Re: VPN Remote Access Problem

Yes dhcp is assigned from pix to windows client pool 192.168.1.1 to 1.254.

Once the client connects to PIX if i check my windows machine using ipconfig i can see 192.168.1.1 as machine ip and gateway as 192.168.1.2.

But my internal lan of PIX  falls on different subnet 192.168.2.x ,

so only i doubt how my firewall know about pool ? any route needed, how the traffic coming from pool treated, is it inside traffic /outside once client connects,,,

Cisco Employee

Re: VPN Remote Access Problem

Hello,

Can you please try the following commands:

vpn-addr-assign dhcp

no vpn-addr-assign aaa

no vpn-addr-assign local

group-policy attributes

dhcp-network-scope 192.168.1.0

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091

86a0080a66bc6.shtml

Hope this helps.

Regards,

NT

195
Views
0
Helpful
5
Replies
CreatePlease to create content