Cisco Support Community
Community Member

VPN Client to PIX - hands out wrong subnet mask?

We are trying to set up a VPN solution for about 50 remote users to VPN into a PIX 515 with a VPN accelerator card. The only other function for this PIX is our web surfing traffic for about 100 users.

The PIX checks a RADIUS server to authenticate users.

The issue is, in testing, when we initiate a VPN connection into the PIX, it hands out the proper IP address from the pool, a subnet mask of (when it should be and a default gateway of the IP address handed out.

Is this correct? We cant seem to pass traffic once we're in. Here's some of the config:

access-list 108 permit ip

nat (inside) 0 access-list 108

nat (inside) 1 0 0

static (inside,corp) netmask 0 0

ip local pool testpool

vpngroup commvpn address-pool testpool

vpngroup commvpn dns-server

vpngroup commvpn wins-server

vpngroup commvpn default-domain

vpngroup commvpn idle-time 1800

vpngroup commvpn password ********

Cisco Employee

Re: VPN Client to PIX - hands out wrong subnet mask?

Neither the VPN client or the PIX hand out a subnet mask, this mask is determined by the Windows OS and is just given as a class A mask for a class A IP address, a class B mask for a class B IP address, etc.

In reality the subnet mask doesn't matter. When you send a packet from your VPN client, the SW encrypts it and sends it over the tunnel. The PIX decrypts it nd puts the unencrypted packet onto your corporate network. At this point the source address is, whatever you got from the pool. The packet is forwarded to its destination, replied to and sent back to the PIX (assuming your internal network has a route for the VPN pool of addresses that points back to the PIX). The PIX encrypts it and sends it onto your VPN client again. What subnet mask the VPN client determined for itself in the beginning doesn't make a difference, so don't worry about it.

The only time you need to be concerned with this subnet mask is if the VPN client is on a small private network of it's own and this private network is a 10.x.x.x net, that will cause problems. If it's simply dialled into the Internet or cable/DSL, then it shouldn't make any difference.

The fact you can't pass traffic is related to something else. Does your internal network have a route to the pool of VPN addresses that points to the PIX? Are you going through a NAT/PAT device between the client and PIX? Try changing your VPN pool to something completely different, making sure to update your ACL 108 and ad a route to this network on your corporate network that points to the PIX. Do you have a "sysopt connection permit-ipsec" command in the PIX?

CreatePlease to create content