01-31-2006 07:39 AM - edited 02-21-2020 02:13 PM
Dear ALL,
I've established a VPN link between PIX515 6.3 and a VPN Client 4.6, conenction goes up without problem.
But now, how can I get access to the machines installed into the inside zone ? (example, using remote desktop)
I tried with a vpn pool of public address (outside) and private address (inside) but I can't get access to those machines.
Please, what I have to do to get access ? Regards Alberto Brivio
Solved! Go to Solution.
01-31-2006 08:11 AM
hello alberto,
Is the client getting IP address from the pool ? If so, is the IP pool on a different subnet than the inside segment ?
In this case, you need to do the following:
1) do a no nat for the traffic from inside to the IP pool.
nat (inside) 0 access-list nonat
access-list nonat permit ip host 192.168.1.1 10.1.1.0 255.255.255.0
where 192.168.1.1 is the server the end users access, and 10.1.1.0/24 is the IP pool
2) if you have an access-list on the inside, allow access between the LAN and the IP pool.
Try these and let us know..
Raj
01-31-2006 08:11 AM
hello alberto,
Is the client getting IP address from the pool ? If so, is the IP pool on a different subnet than the inside segment ?
In this case, you need to do the following:
1) do a no nat for the traffic from inside to the IP pool.
nat (inside) 0 access-list nonat
access-list nonat permit ip host 192.168.1.1 10.1.1.0 255.255.255.0
where 192.168.1.1 is the server the end users access, and 10.1.1.0/24 is the IP pool
2) if you have an access-list on the inside, allow access between the LAN and the IP pool.
Try these and let us know..
Raj
01-31-2006 09:43 AM
Dear Raj,
I added acl that allow access between the LAN and the IP pool.
Then, from an inside machine I can access the outside machine (the client), but the client can't access any machine (server) in the inside zone.
Seems to miss the right route, after some pings, an outside hop respons telling the host is not reachable. (pinging vpn pool host 10.0.0.0 255.255.255.0 )
Alberto
01-31-2006 10:16 AM
Hi Alberto,
It may be useful for you to post the following (taken from your configuration):
any ACLs
any nat statements
any routes
vpn pool
Also, does the machine on the inside zone have a desktop firewall or XP Service Pack 2 installed?
Regards,
Nicôle
02-01-2006 01:13 AM
Dear Nicôle,
I spent yesterday night finding possible mistakes, and I found it !
There was an incongruous netmask between local pool, acl preventing ip-sec packet natting and acl permitting inside outbound traffic.
Now, it's up and runnig.
Thanks all of you for support.
Alberto
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide