Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Pix-to-client and how to reach systems on other interfaces

Dear ALL,

I've implemented a VPN Pix-to-Client and it seems to running ok.

As you can see, client will get the same inside class address (192.168.100.x) so I can reach systems from everywhere.

My questions are:

1 if I assign addresses' pool different subnet, how can I still reach inside systems ?

2 if I have other systems on these interfaces such dmz1 (192.168.10.0) dmz2 (192.168.20.0) how can I reach those systems from the

same client vpn access?

Regards

Alberto Brivio

ip local pool vpnpool1 192.168.100.70-192.168.100.80

access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list 102

sysopt connection permit-ipsec

crypto ipsec transform-set trmset1 esp-des esp-md5-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup test address-pool vpnpool1

vpngroup test split-tunnel 102

vpngroup test idle-time 1800

vpngroup test password ********

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN Pix-to-client and how to reach systems on other interfac

Usually it is better to use another IP Address Range. The PIX will know that the VPN Client is using that range and route it correctly whitch is not the case when you are using the same IP Range as the inside interface.

To access another interface use the NONAT (your ACL 102) access-list that disables NAT between the VPN Network and the the neworks that you want to connect.

Config Example:

access-list NONAT permit ip Internalnet ISubnetMask VPN-Pool 255.255.255.0

access-list NONAT permit ip DMZnet DMZSubnetMask VPN-Pool 255.255.255.0

nat (inside) 0 NONAT

aaa-server LOCAL protocol local

aaa authentication secure-http-client

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map REMOTE client authentication LOCAL

crypto map REMOTE interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ip local pool VPNPool x.y.z.1-x.y.z.254

vpngroup VPNGroup address-pool VPNPool

vpngroup VPNGroup dns-server dns2 dns1

vpngroup VPNGroup default-domain localdomain

vpngroup VPNGroup idle-time 1800

vpngroup VPNGroup password grouppassword

username vpnclient password vpnclient-password

sincerely

Patrick

1 REPLY

Re: VPN Pix-to-client and how to reach systems on other interfac

Usually it is better to use another IP Address Range. The PIX will know that the VPN Client is using that range and route it correctly whitch is not the case when you are using the same IP Range as the inside interface.

To access another interface use the NONAT (your ACL 102) access-list that disables NAT between the VPN Network and the the neworks that you want to connect.

Config Example:

access-list NONAT permit ip Internalnet ISubnetMask VPN-Pool 255.255.255.0

access-list NONAT permit ip DMZnet DMZSubnetMask VPN-Pool 255.255.255.0

nat (inside) 0 NONAT

aaa-server LOCAL protocol local

aaa authentication secure-http-client

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map REMOTE client authentication LOCAL

crypto map REMOTE interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ip local pool VPNPool x.y.z.1-x.y.z.254

vpngroup VPNGroup address-pool VPNPool

vpngroup VPNGroup dns-server dns2 dns1

vpngroup VPNGroup default-domain localdomain

vpngroup VPNGroup idle-time 1800

vpngroup VPNGroup password grouppassword

username vpnclient password vpnclient-password

sincerely

Patrick

89
Views
0
Helpful
1
Replies