Cisco Support Community
Community Member

VPN Client routing issue

Network layout:

VPN 3030 in parallel with PIX 520 6.0(1)

3030 split into internal, public

PIX split into internal, dmz and public

3030 and PIX both connected on internal side to CAT 6506 with L3


If I connect to the 3030 using a VPN client (3.0) from the outside and I assign a pool-address from the same subnet as the internal network, the client has no issues connecting to the internal or DMZ leg of the PIX. If I assign a pool-address using some other private subnet, the Client can browse the internal but not the DMZ.

I've added subnet route statements to the 6506 to forward the pool-address back to the 3030 and not out to the PIX (default gateway for the 6506) but it doesn't help with the DMZ access. Static translations across the DMZ don't work either.

Any suggestions?



Community Member

Re: VPN Client routing issue

Do you have nat and routes statements on the PIX for the private subnet?

Community Member

Re: VPN Client routing issue

Well - thought that might be the issue but I can't even ping the inside interface of the PIX through the 6506 when using different subnets (other than internal address range). I can ping other internal IP addresses just not the PIX. I do have routing statements in the 6506 to forward all replies back to the Concentrator gateway.

I tried setting up static statements across the interfaces but it didn't seem to help.


CreatePlease to create content