Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Easy question! VPN between PIX and cisco vpn client

hi!

easy question i'm sure!

I have a pix firewall in front of a small network of 10.0.0.X ip's

i have set up pix so that people connecting via vpn client are assigned 172.16.1.X addresses

I can connect and all seems well, except that I cannot ping on connect to any 10.0.0.X machines inside the network, because I am allocated a 172.16.1.X address

2 questions:

1) why can i not just assign my remote clients address on the same subnet as my internal network? 10.0.0.200-210 or something?

2) i understand WHY this doesn't work - i would normally need a box with 2 interfaces, one on each subnet to act as the gateway - but how does this work on the vpn with the pix? is the pix the "virtual gateway"?

thanks for any help!

2 REPLIES
Bronze

Re: Easy question! VPN between PIX and cisco vpn client

This is how it should be configured, I think you must have missed a access list taht allows the resource access to these IP address. Use the example given below to write your own ACL

access-list 108 permit ip 10.31.1.0 255.255.255.0 172.16.1.0 255.255.255.0

New Member

Re: Easy question! VPN between PIX and cisco vpn client

1) You can assign addresses from a local network. Just mind that the pix doesn't sends the netmask to the clients, the clients assume the classfull netmask of the address. In your case (LAN 10.0.0.X) the clients would assume a 255.0.0.0 netmask instead of a 255.255.255.0

So, if your LAN is compliant with classfull addresses, you'll be fine with a pool from the same network. Otherwise you'll have problems and it's better to assign a pool with classfull addresses (like 192.168.1.X).

Don't forget that if your client is in a different network, you should tell the LAN machines the new route to that network. If your machines have a default gateway, it must know the route to that new network. If the pix is the default gateway of your LAN and also the tunnels endpoint, there will be no problem.

2) Well, kind of :) The way the pix does this is by making the MAC address associated with the addresses on the VPN Client pool the same as his local interface MAC address. This way the pix will be the "L2 default gateway" to all the pool addresses.

Hope this makes some sense :)

121
Views
0
Helpful
2
Replies
CreatePlease to create content