Re: VPN connection using different subnet?

1qaz2wsx1qaz · ‎01-22-2006

Hi All,

I can set up a vpn connection using an ip pool of valid internal ip address's (ie internal network 10.10.10.0 ip pool 10.10.10.30~50). Everything works fine, access to other pc's on this subnet etc.

However if i try to set using an ip pool of 10.10.11.1~254) I can connect through the vpn but am unable to see any other pc's, etc on the local network?

Is there a rule I am missing somewhere?

Any help appreciated.

Patrick Laidlaw · ‎01-23-2006

Well a couple of things to check here one is your pix the default-gateway/is there a route to the pix for the 10.10.11.x network. Two is there an access-list in place preventing 10.10.11.0 network.

It would be helpful to see your configuration.

Patrick

1qaz2wsx1qaz · ‎01-23-2006

Hi Patrick,

Here is the current config.

PIX Version 7.0(1)

names

!

interface Ethernet0

nameif Outside

security-level 0

ip address 192.168.10.253 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.10.253 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 50

ip address 131.131.131.253 255.255.255.0

!

enable password XCiL6fXTNO9qj5.B encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name wtm

ftp mode passive

clock timezone EST 10

access-list Outside_access_in extended permit icmp any any

access-list inside_nat0_outbound extended permit ip any 10.10.10.224 255.255.255.240

access-list Outside_cryptomap_dyn_20 extended permit ip any 10.10.10.224 255.255.255.240

pager lines 24

logging asdm informational

mtu inside 1500

mtu DMZ 1500

mtu Outside 1500

ip local pool Dial-In 10.10.11.1-10.10.11.239 mask 255.255.255.0

monitor-interface inside

monitor-interface DMZ

monitor-interface Outside

asdm image flash:/asdm-501.bin

asdm location 10.10.10.224 255.255.255.240 inside

no asdm history enable

arp timeout 14400

global (Outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 192.168.10.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy try internal

group-policy try attributes

dns-server value 10.10.10.16 10.10.10.2

username testuser password 98ZeS29m9xvCI4tR encrypted privilege 0

username testuser attributes

vpn-group-policy try

http server enable

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

isakmp identity address

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

tunnel-group try type ipsec-ra

tunnel-group try general-attributes

address-pool Dial-In

default-group-policy try

tunnel-group try ipsec-attributes

pre-shared-key welcome

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:40cb58ee8d1653e2f4929ffedcaaa126

: end