Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX and VPN group Problem

Hello,

I have attached the config for our PIX firewall. Any tips would be appriciated.

The problem I am having is with remote clinets and the vpngroup setup on the PIX. When a client vpn's to the PIX using the vpngroup login and password, they are assigned a 192.168.99.xx IP address. The internal IP subnet for all devices behind the PIX is 192.168.0.xxx. The VPN clinets can access all devices on the 192.168.0.xx subnet, but I need to be able to allow the clinets to access other devices on our network that are outside the PIX. Example, I have several nodes that are assigned 192.168.20.xxx IP address that are outside the PIX. None of the vpngroup clients can access this subnet or any other subnet besides the internal PIX block. From any device or server behind the PIX with a 192.168.0.xx IP, I can access everything just fine.

Also, when using the Cisco PIX client, I have noticed that the machine that is VPN to the PIX, is not using the PIX as the default gateway to the outside world. Outside traffic is still routed over the clinets primary internet connection. I need to have all traffic route through the PIX. Is this possible?

Thanks,

Jesse

  • LAN Switching and Routing
4 REPLIES
New Member

Re: PIX and VPN group Problem

Forgot attachment.

Cisco Employee

Re: PIX and VPN group Problem

You current configuration has split tunnel configured and you are permitting the clients to access only 192.168.0.0/24 network. If you want to allow clients to access additional networks, please do add the appropriate networks to the split tunnel and nonat statements. Also, make sure that your internal networks knows that they need to route the packets to the pix for traffic destined to 192.168.99.0/24, the pool of ip addresses for the VPN Clients.

vpngroup vpn3000-all split-tunnel nonat

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.99.0 255.255.255.0

Since you have split tunnel configured, all networks configured under split tunnel will e routed to the pix and all other traffic will follow the clients internet connection.

Now, to answer your second part of the questions, if you disable split tunnel and tunnel all traffic to the pix, then you need 7.x code or higher on the pix to support what is called intra-interface and send the traffic to the internet and your LAN. Please refer the below URL for details:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

In your case, if you cannot upgrade to 7.x, then you need another router or firewall in your network that directs traffic for the VPN Client Pool.

Let me know if it helps.

Regards,

Arul

* Please rate if it helps *

New Member

Re: PIX and VPN group Problem

Hello,

I added the following to my nonat list:

access-list nonat permit ip 192.169.20.0 255.255.255.0 192.168.99.0 255.255.255.0

I also, created a route pointing 192.168.99.0 network to the outside interface of my pix. I still can not reach anything. I do not think the outside interface is allowing the replies to the 192.168.99.0 network to pass.

J

Cisco Employee

Re: PIX and VPN group Problem

Couple of things:

1. Is it 192.169.20.0 or 192.168.20.0. I guess thats a typo.

2. If it is 192.169.20.0, Did you have the VPN Client disconnect and connect again to see if the split tunnels are passed on correctly.

2. Does the 192.169.20.0/24 know that they need to route the packets destined for 192.168.99.0 to the pix.

3. Can you also post the outputs of "show crypto ipsec sa" when you are not able to ping the 192.169.20.0.

4. Also, dont remember to do a clear xlate after making the changes.

Regards,

Arul

112
Views
0
Helpful
4
Replies