Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSec VPN clients to PIX 7.x - addressing conflict

Client behind a PAT home router, with local address in

Servers in behind PIX firewall.

Client uses VPN client to connect to PIX firewall, is assigned IP from pool.

Client cannot access servers in subnet, but can other subnets behind PIX.

Split tunneling is setup.

Users don't have skill to change home network. Major outage to re-address the servers.

Is there any configuration change on the PIX to fix this?

Everyone's tags (3)

Re: IPSec VPN clients to PIX 7.x - addressing conflict


In this scenario seems that the better way would be to NAT the internal LAN where the servers reside on the PIX to a different network for the VPN clients.

The problem is that when the VPN clients try to access the local LAN through the tunnel, the traffic remain locally.

So, you can configure NAT on the PIX to translate the local LAN, and it this way the VPN clients will reach the subnet with a different addressing.


New Member

Re: IPSec VPN clients to PIX 7.x - addressing conflict

I tried a policy NAT, but it wouldn't fire. The VPN terminates on our only PIX firewall. The issue is that NAT is associated with an interface. The untunneled VPN traffic is not arriving on any of the interfaces available to the NAT command, it just "appears" on the PIX traffic stream.

So, we are probably going to use this issue to justify Citrix for our application.

We have been able to work with our consultants to change their home networks to not conflict with the servers.

Re: IPSec VPN clients to PIX 7.x - addressing conflict

Anyway, the VPN is also associated with an interface on the PIX.

In this way, is a matter of checking the Policy NAT configuration and that is correctly applied for the VPN traffic.

I've done this before and it works.


CreatePlease to create content