Easy question! VPN between PIX and cisco vpn client
easy question i'm sure!
I have a pix firewall in front of a small network of 10.0.0.X ip's
i have set up pix so that people connecting via vpn client are assigned 172.16.1.X addresses
I can connect and all seems well, except that I cannot ping on connect to any 10.0.0.X machines inside the network, because I am allocated a 172.16.1.X address
1) why can i not just assign my remote clients address on the same subnet as my internal network? 10.0.0.200-210 or something?
2) i understand WHY this doesn't work - i would normally need a box with 2 interfaces, one on each subnet to act as the gateway - but how does this work on the vpn with the pix? is the pix the "virtual gateway"?
Re: Easy question! VPN between PIX and cisco vpn client
1) You can assign addresses from a local network. Just mind that the pix doesn't sends the netmask to the clients, the clients assume the classfull netmask of the address. In your case (LAN 10.0.0.X) the clients would assume a 255.0.0.0 netmask instead of a 255.255.255.0
So, if your LAN is compliant with classfull addresses, you'll be fine with a pool from the same network. Otherwise you'll have problems and it's better to assign a pool with classfull addresses (like 192.168.1.X).
Don't forget that if your client is in a different network, you should tell the LAN machines the new route to that network. If your machines have a default gateway, it must know the route to that new network. If the pix is the default gateway of your LAN and also the tunnels endpoint, there will be no problem.
2) Well, kind of :) The way the pix does this is by making the MAC address associated with the addresses on the VPN Client pool the same as his local interface MAC address. This way the pix will be the "L2 default gateway" to all the pool addresses.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :