I am currently trying to install a PIX 515R to do PAT from a private 10 network to the outside world, I also have one server that is used for mail and I have created a static NAT entry for this. This all seems to be working fine.
My problem arrises when I try to set up a vpngroup so that I can connect to the private network remotely using VPN Client 3.5.1 on a win2K machine. I can establish the tunnel to the PIX from my Client however I cannot seem to ping anything on the inside 10 network. I am at a bit of a loss as to what I am doing wrong.
What you are seeing is correct. The Internet Engineering task Force (IETF) produced Request For Comments(RFC) 1597 back in 1996. This plan set aside several private network address spaces to help with the dwindling Class C address problem(all classes for that matter). Under the plan, anyone in the world can use 172.16.0.0 255.255.0.0, 172.17.0.0 255.255.0.0, 10.0.0.0 255.0.0.0 , 192.168.0.0 255.255.0.0, as much as they want internal to their network. However they must run Network Address Translation(NAT) on the device facing the outside ISP. By translating the addresses, there won't be billions of duplicate IP addresses seen in the Internet. All internal addresses look like one external valid IP address once traffic passes from inside to outside. As part of the plan, all commercial ISPs, government agencies, research networks (Like the National Science Foundation - the NSFnet) or otherwise bone fide Internet constituent network providers, forcefully block routing of all source addresses mentioned above. They have to. The people at your company headquarters probably can ping out, if your company runs NAT or the right proxying service. But you'll never be able to ping these 10, 192.168, 172.16, 172.17 addresses unless you are internal to your network. the benefit is, now the whole world gets to use the address spaces freely INSIDE private companies, and only needs one or two real world IP addresses for their external router.
Yes I am aware of the private addressing scheme, however the private addresses should be sent down the VPN tunnel and not seen by the outside world, and certainly not routed as the packets should be encapsulated, seeing the tunnel endpoints as the outside interface of the PIX which is internet addressable and also the VPN Client which is also Internet addressable. My problem however is that it doesn't work how I want it to and I dont know why!
Sorry about me overlooking tunneled source addresses. Sounds like you are behind the eight ball. My personal advive is to call the TAC and get them to solve it. Your client pays for some tech support just by buying the product. There is no shame whatsoever in asking the gurus at Cisco for help - once you know how, put it in your notebook! I do it! Mark - How is Telindus to work for?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :