Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

In a VPN Client to PIX configuration, the Client IP range overlaps internal LAN IP range

Core issue

The VPN tunnel is established. The show crypto ipsec sa command displays decrypts, but not encrypts.

The IP address local pool is configured as part of the internal or Demilitarized Zone (DMZ) subnet. This does not work because the PIX sees the destination address as belonging to the internal or DMZ network and never receives the return traffic, as shown:

ip address inside 10.1.1.1 255.255.255.0

ip local pool vpnclient 10.1.1.200-10.1.1.254

This example does not function properly because the VPN Client pool overlaps the internal IP address range. The results are unpredictable. The Client may disconnect randomly. Even if you do not use any of the addresses from .200 to .254, the configuration does not work. The PIX sees this entire subnet as being located on the inside network, and it does not do Proxy Address Resolution Protocol (ARP) for these addresses.

Resolution

To resolve this issue, re-address the VPN Client pool with a range that does not overlap any IP address range currently used in your network.

For a sample PIX to VPN Client configuration, refer to Configuring Cisco Secure PIX Firewall 6.0 and Cisco VPN 3000 Clients Using IPSec.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:37 PM
Updated by:
 
Labels (1)