Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
190
Views
0
Helpful
1
Replies

Routed Internal network problem

bibo
Level 1
Level 1

‎03-05-2003 03:04 AM - edited ‎03-09-2019 02:22 AM

Hello all!

It should be fine if someone more experienced can help me:

I'm using Cisco VPN client 3.5.1 to connect to PIX515E, and it works fine if I want to

access network segment where Cisco PIX inside interface resides on (Network 10.1.1.0/24 for example).

But if I want to access some host in routed internal network, I can't get connectivity.

I tried to add route mannually on W2k Pro client, but Windows can't accept that route,

because it don't know anything about Cisco VPN established connection.

I tried to add route on Cisco PIX, but it don't working.

Shema of the sistem is:

VPN Client------------->PIX firewall--10.1.1.0/24net--->Internal router--->Some int. network --->HOST (193.x.x.x/24 net)

There is no any internal network routing problem because

HOST is visible from internal network segment (10.1.1.0/24 net).

How I can define route to allow VPN users to access to internal net over Internal router?

Where to define route: on VPN client or on PIX, or both of them?

Does some newer version of Cisco VPN client support that?

Thanks a lot!

Branko.

Labels:
0 Helpful
1 Reply 1

Not applicable

‎03-11-2003 08:11 AM

If you have set your VPN users up to grab an ip address that is not on the same subnet as the inside

of the concentrator than regular routing would need to take place. Basically at some point of

default contact on the network a device that all traffic goes through would need to know that when

traffic is destined for the VPN pool it needs to be sent to the concentrators inside interface. If

the default gateway on the network is a PIX firewall (or another Firewall device) than this would

not work due to the fact that most firewalls cannot route hence returning a packet out the same

interface it came in would be a security breach and not allowed. If that's the case you would need

to point everyones default gateway at an internal router and have it's default gateway being the

firewall device, and have it also have a route pointing back to the concentrator for the VPN pool.

If the default gateway for the machines on the local network happens to be a router, then simply put

a route in there pointing all traffic destined for the VPN network to the concentrators inside

interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents