Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

easy vpn mode configuration

I'm trying to understand...

I've remote vpn clients to connect to a Pix 515E (on the outside) setting up an IPSec tunnel (to reach networks on the inside). These will be my first VPNs.

I've seen in many configurations example that it's possible to declare an ip pool to assign to vpn clients ip addresses not in the subnet of the pix inside ip address (for example pix inside address is 172.16.0.1 and i can create and reference in a vpn group a pool like 192.168.1.0-192.168.1.254).

My question is: how will this clients find their way towards all the networks behind the pix without a default gateway? As i know Mode Configuration can assign to the vpn clients many parameters (DNS/WINS ecc. ecc.) but can't assign a default gateway.

I've a couple of multilayer switch behind pix' inside but how could they route packets for vpn clients if they haven't any default gateway configured?

Thank You in advance for Your help

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: easy vpn mode configuration

The clients don't need a default gateway, they simply use the routing table on the PIX and any subsequent device they get routed through to reach their destination.

Think of what happens, using your IP addresses as an example. The VPN client sends an encrypted packet to the PIX, this packet has a source address of 192.168.1.1 cause this is the address it was allocated out of the pool. The destination of this packet is let's say, 172.16.10.1, a server inside the PIX. The source address is not looked at anywhere yet, it's only the destination IP that we're interested in at this point. So the PIX looks up its routing table to see where 172.16.10.1 sits, sends it out the inside interface to the next hop based on its routing table. The next hop looks up where 172.16.10.1 sits, sends it on the next hop based on its routing table. This goes on until the packet arrives at 172.16.10.1.

Now the reply is sent back to 192.168.1.1 (the VPN client), this is where the fun starts. This subnet doesn't exist anywhere on your network, it is purely a pool of addresses given out by the PIX. This packet has to be routed back to the PIX, so you need to add a static route in your network so that wherever this packet is, it will find its way back to the PIX. This is usually as simple as adding a static route on the router directly connected to the PIX, then redistributing that route into whatever routing protocol you're running. When this packet destined for 192.168.1.1 arrives back at the PIX, the PIX is smart enough to know that this is for a VPN client, it encrypts it and sends it on to the clients actual routable address wherever that may be.

In short, yes you can define any IP subnet as your pool of addresses on the PIX, provided your internal network has a route to that network that eventually points back to the PIX. Nothing else needs to be done, default gateways on the client itself don't come into it.

3 REPLIES
Cisco Employee

Re: easy vpn mode configuration

The clients don't need a default gateway, they simply use the routing table on the PIX and any subsequent device they get routed through to reach their destination.

Think of what happens, using your IP addresses as an example. The VPN client sends an encrypted packet to the PIX, this packet has a source address of 192.168.1.1 cause this is the address it was allocated out of the pool. The destination of this packet is let's say, 172.16.10.1, a server inside the PIX. The source address is not looked at anywhere yet, it's only the destination IP that we're interested in at this point. So the PIX looks up its routing table to see where 172.16.10.1 sits, sends it out the inside interface to the next hop based on its routing table. The next hop looks up where 172.16.10.1 sits, sends it on the next hop based on its routing table. This goes on until the packet arrives at 172.16.10.1.

Now the reply is sent back to 192.168.1.1 (the VPN client), this is where the fun starts. This subnet doesn't exist anywhere on your network, it is purely a pool of addresses given out by the PIX. This packet has to be routed back to the PIX, so you need to add a static route in your network so that wherever this packet is, it will find its way back to the PIX. This is usually as simple as adding a static route on the router directly connected to the PIX, then redistributing that route into whatever routing protocol you're running. When this packet destined for 192.168.1.1 arrives back at the PIX, the PIX is smart enough to know that this is for a VPN client, it encrypts it and sends it on to the clients actual routable address wherever that may be.

In short, yes you can define any IP subnet as your pool of addresses on the PIX, provided your internal network has a route to that network that eventually points back to the PIX. Nothing else needs to be done, default gateways on the client itself don't come into it.

Anonymous
N/A

Re: easy vpn mode configuration

Thank You very much! I was missing the point, i need no default gateway, just add a static route to the multilayer switches pointing to the pool and then redistribute this static in ospf.

Thank You for Your help!

New Member

Re: easy vpn mode configuration

What if you have a PIX 515 back-to-back? Example.

ISP - Router - PIX1 - PIX2 - Internal Network

External VPN users terminate on PIX1 and would I need to enter a static route on the router. Sorry, I just don't know how the external users can access the Internal network.

JT

190
Views
5
Helpful
3
Replies
CreatePlease login to create content