Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client 3.5.X to PIX 506/access to different network behind router

I have created a tunnel between a VPN client and PIX with no problem but there is another network segment behind the PIX which connected with a router 2600, how can i have the client access to this segment.

i try the following command,

-route inside 192.168.1.0 255.255.255.0 172.16.4.19

-access-list nonat permit ip 172.16.4.0 255.255.255.0 192.168.1.0 255.255.255.0

-nat (inside) 0 access-list nonat

just want to make sure, PIX should be able to handle this simple routing function or not.

any suggestion would be appreciate

5 REPLIES
Cisco Employee

Re: VPN Client 3.5.X to PIX 506/access to different network behi

What is the IP address of the second segment which is connected to the router 2600 ? You will need nonat ACL to include that network segment explicitly as well. Otherwise it won't work

New Member

Re: VPN Client 3.5.X to PIX 506/access to different network behi

thanks for your reply, that's what i did 192.168.1.0 is the network segment which behind the router. and vpn client is actually using 172.16.4.0 address, same is the PIX internal.

so i have the following set up

access-list nonat permit ip 172.16.4.0/24 172.16.4.0/24

access-list nonat permit ip 172.16.4.0/24 192.168.1.0/24

nat (inside) 0 access-list nonat

route inside 192.168.1.0/24 172.16.4.19

172.16.4.19 is one of the port for 2600.

any idea why this doesn't work?

Cisco Employee

Re: VPN Client 3.5.X to PIX 506/access to different network behi

ok, pls. provide info. whether split tunnel is enabled and if so what the ACL is.

Then we will need to look at:

1. show crypto ipsec sa

output on the PIX

2. After VPN client connects double click the client icon and in the tab, look at the networks which have a yellow icon (which should be the networks with which vpn client should exchange encrypted communications).

once you are sure from above 2 that the SAs are not the problem, then it's likely a routing issue. See if from one of the 192.168.1.x network if you can

ping hop by hop upto the PIX. PIX should proxy arp for all the IP pool definitions that you have. Let us know how it goes.

New Member

Re: VPN Client 3.5.X to PIX 506/access to different network behi

Hey Vijkrish

thanks, I got it, i believe the PIX is treating the second segment as outside of the tunnel, after i add the access-list which co-respond with the split tunnel, it's start working.! thank you so much!!!

since you are here, may i ask you one more question, what if the vpn client is behind a firewall/NAT, what is the requirement to create a tunnel with PIX which located at outside, i know a lot of people has ask this before, beside static mapping on the firewall, are there any other options that i could get around this issue?

thank you so much, i really appreciate it.

Cisco Employee

Re: VPN Client 3.5.X to PIX 506/access to different network behi

Glad it helped. Currently there is no support for IPSec over TCP/UDP on the PIX. If the device behind which the client is IOS, in some IOS releases IOS got support for IPSec to be handled.

IP Security Through Network Address Translation Support

See URL

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/800/rn800xi.htm#xtocid17

For other devices currently there are no options unless you create a static as you say..

86
Views
0
Helpful
5
Replies