I have attached the config for our PIX firewall. Any tips would be appriciated.
The problem I am having is with remote clinets and the vpngroup setup on the PIX. When a client vpn's to the PIX using the vpngroup login and password, they are assigned a 192.168.99.xx IP address. The internal IP subnet for all devices behind the PIX is 192.168.0.xxx. The VPN clinets can access all devices on the 192.168.0.xx subnet, but I need to be able to allow the clinets to access other devices on our network that are outside the PIX. Example, I have several nodes that are assigned 192.168.20.xxx IP address that are outside the PIX. None of the vpngroup clients can access this subnet or any other subnet besides the internal PIX block. From any device or server behind the PIX with a 192.168.0.xx IP, I can access everything just fine.
Also, when using the Cisco PIX client, I have noticed that the machine that is VPN to the PIX, is not using the PIX as the default gateway to the outside world. Outside traffic is still routed over the clinets primary internet connection. I need to have all traffic route through the PIX. Is this possible?
You current configuration has split tunnel configured and you are permitting the clients to access only 192.168.0.0/24 network. If you want to allow clients to access additional networks, please do add the appropriate networks to the split tunnel and nonat statements. Also, make sure that your internal networks knows that they need to route the packets to the pix for traffic destined to 192.168.99.0/24, the pool of ip addresses for the VPN Clients.
vpngroup vpn3000-all split-tunnel nonat
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.99.0 255.255.255.0
Since you have split tunnel configured, all networks configured under split tunnel will e routed to the pix and all other traffic will follow the clients internet connection.
Now, to answer your second part of the questions, if you disable split tunnel and tunnel all traffic to the pix, then you need 7.x code or higher on the pix to support what is called intra-interface and send the traffic to the internet and your LAN. Please refer the below URL for details:
access-list nonat permit ip 184.108.40.206 255.255.255.0 192.168.99.0 255.255.255.0
I also, created a route pointing 192.168.99.0 network to the outside interface of my pix. I still can not reach anything. I do not think the outside interface is allowing the replies to the 192.168.99.0 network to pass.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...