Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
In a VPN Client to PIX configuration, the Client IP range overlaps internal LAN IP range
The VPN tunnel is established. The show crypto ipsec sa command displays decrypts, but not encrypts.
The IP address local pool is configured as part of the internal or Demilitarized Zone (DMZ) subnet. This does not work because the PIX sees the destination address as belonging to the internal or DMZ network and never receives the return traffic, as shown:
ip address inside 10.1.1.1 255.255.255.0
ip local pool vpnclient 10.1.1.200-10.1.1.254
This example does not function properly because the VPN Client pool overlaps the internal IP address range. The results are unpredictable. The Client may disconnect randomly. Even if you do not use any of the addresses from .200 to .254, the configuration does not work. The PIX sees this entire subnet as being located on the inside network, and it does not do Proxy Address Resolution Protocol (ARP) for these addresses.
To resolve this issue, re-address the VPN Client pool with a range that does not overlap any IP address range currently used in your network.