Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't access other subnets once connected

I have client vpn setup on PIX 8.03 with ADSM6 and NAT-T is enabled.

This pix is used for VPN only and and all IPs are public except for client who is behind home NAT device.

once connected I can only access other machines that are in same subnet as the vpn pool.

outside ip 1.0.1.5 gateway 1.0.1.1

inside ip 1.0.2.5 gateway 1.0.2.1

but inside net's default gateway can't be on PIX since only one is allowed.

It's kinda hard to explain the topology without drawing a picture but both inside and outside network has it's own default gateway, and PIX is just a host in both networks.

so my guess is once client connects to pix via 1.0.1.5 and issuses an ip address of 1.0.2.100 for client.

and traffic to same subnet is fine, but when it tries to go out it it will fail.

any ideas?

Thanks

2 REPLIES

Re: Can't access other subnets once connected

so my guess is once client connects to pix via 1.0.1.5 and issuses an ip address of 1.0.2.100 for client.

and traffic to same subnet is fine, but when it tries to go out it it will fail.

When it tries to go out to where? outbound internet? is so

asa(config)#same-security-traffic permit intra-interface

pat VPN spool subnet for outbound internet

nat (outside) 1 1.0.2.0

If you are refering to another network behind the asa other than the inside interface or outbound internet for vpn pool,then create acl to allow vpn pool subnet to whatever subnet behind asa that you are trying vpn pool network to get to as long asa does have a route to get to them refer to this thread.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cc0645a/0#selected_message

HTH

Rgds

Jorge

Green

Re: Can't access other subnets once connected

My first suggestion would be to not use the same subnet for you vpn clients as you use for your inside pix network. Make vpn client subnet 1.0.3.0 for example. Then put a route on your inside router for this new network towards the pix.

ip route 1.0.3.0 255.255.255.0 1.0.2.5

116
Views
0
Helpful
2
Replies
CreatePlease to create content