02-19-2004 08:21 AM
I can establish a connection to the pix fine, but cannot get to the internal lan. It appears the vpn pool addresses don't reach the dns/wins servers, as if there is a routing problem. Do I need to take one of those pool addresses and use it as a static route/default gw on the router that sits between the pix and local lan?
Thank you!
02-19-2004 09:29 AM
Hi,
If you have a router sitting between the inside of the PIX and your local LAN, yes you will need a route routing the VPN pool subnet to the inside interface of the PIX.
Hope that helps.
02-19-2004 11:17 AM
Thanks for the reply, I'll try that.
02-19-2004 12:58 PM
Hey Mike,
That didn't work. I got an error msg about a "classless" ip address and the config failed. I can connect and authenticate to the pix ok but I don't get the windoz login screen for userid, password and DOMAIN
name. Only the pix is talking back and forth to the client. It's like it can't find the dns/wins servers.
02-19-2004 03:36 PM
i had a problem like that today with a PPTP based VPN
I had
LAN ---> Router ----> PIX --->Internet <---PPTP Clients
if you have a router in between the PIX make sure
that you are not NAT'ing the VPN traffic that is retruning to the VPN clients
(i.e., web page access)
VPN Client src 10.1.38.6 port 1044 syn -->
InternalWWW dst 10.1.1.10 port 80
VPN Client establishes session to the PIX outside interface/tunnel endpoint
VPN Client request for a web page gets to the Web Server sucessfully BUT the firewall tries to NAT the return traffic as soon as it hits the inside interface.
the return traffic ends up with:
InternalWWW src IP-OF-OUTSIDE-INTERFACE port 80 syn-ACK --> 10.1.38.6
(since the ACK bit is set the PIX looks for an active NAT translation slot - in which there is none so it won't work)
i fixed it like this :
ip local pool VPNUSERS 10.1.38.6-10.1.38.10
access-list 123 permit ip any host 10.1.38.6
access-list 123 permit ip any host 10.1.38.7
access-list 123 permit ip any host 10.1.38.8
access-list 123 permit ip any host 10.1.38.9
access-list 123 permit ip any host 10.1.38.10
nat (inside) 0 access-group 123
nat (inside) 1 0 0
global (outside) 1 interface
interface inside address 10.1.38.1 255.255.255.0
(the router is 10.1.38.2/24)
sysopt connection permit-pptp
i checked syslog and it was barking about no active nat translation slots........
what was happening was traffic was coming into the VPn tunnel and going to the destinations but the return traffic could not go back because of there were no active NAT translation slots for the session (that were INITATED by the internal clients). so i had to make sure that traffic returning to the VPN clients requests were not getting NAT'd on the way back.
hope this helps
p.s. object grouping may help, this was tedious
Don Garnett
Network Support Specialist
02-23-2004 04:58 AM
Thank's for the help Don. I'll give this a try.
02-25-2004 05:09 AM
Mike and Don,
I added a static route in our router(cisco 6509) for the vpn pool and it worked!
Thank you for your help!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide