We are trying to set up a VPN solution for about 50 remote users to VPN into a PIX 515 with a VPN accelerator card. The only other function for this PIX is our web surfing traffic for about 100 users.
The PIX checks a RADIUS server to authenticate users.
The issue is, in testing, when we initiate a VPN connection into the PIX, it hands out the proper IP address from the pool, a subnet mask of 255.0.0.0 (when it should be 255.255.255.0) and a default gateway of the IP address handed out.
Is this correct? We cant seem to pass traffic once we're in. Here's some of the config:
access-list 108 permit ip 10.28.0.0 255.255.0.0 10.28.0.0 255.255.0.0
Re: VPN Client to PIX - hands out wrong subnet mask?
Neither the VPN client or the PIX hand out a subnet mask, this mask is determined by the Windows OS and is just given as a class A mask for a class A IP address, a class B mask for a class B IP address, etc.
In reality the subnet mask doesn't matter. When you send a packet from your VPN client, the SW encrypts it and sends it over the tunnel. The PIX decrypts it nd puts the unencrypted packet onto your corporate network. At this point the source address is 10.28.1.15x, whatever you got from the pool. The packet is forwarded to its destination, replied to and sent back to the PIX (assuming your internal network has a route for the VPN pool of addresses that points back to the PIX). The PIX encrypts it and sends it onto your VPN client again. What subnet mask the VPN client determined for itself in the beginning doesn't make a difference, so don't worry about it.
The only time you need to be concerned with this subnet mask is if the VPN client is on a small private network of it's own and this private network is a 10.x.x.x net, that will cause problems. If it's simply dialled into the Internet or cable/DSL, then it shouldn't make any difference.
The fact you can't pass traffic is related to something else. Does your internal network have a route to the pool of VPN addresses that points to the PIX? Are you going through a NAT/PAT device between the client and PIX? Try changing your VPN pool to something completely different, making sure to update your ACL 108 and ad a route to this network on your corporate network that points to the PIX. Do you have a "sysopt connection permit-ipsec" command in the PIX?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...