cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
458
Views
5
Helpful
3
Replies

Roadwarrior and VPN access

piccololean
Level 1
Level 1

Hi everybody! I need some help:

I have to realize a thing like this: http://supportotesi.altervista.org/ing.temporaneo.jpg

The conf is here:

http://supportotesi.altervista.org/lastconf.txt

The pix has his outside interface connected to the internal lan of the uni and it's "natted" to a public IP...

I use Cisco VPN Client and I correctly connect to the VPN with IPSec support... the roadwarrior obtains a private IP in the pool 10.0.9.x and everything works fine with the net inside of the pix (the 10.0.0.x's): so the ping, http, ftp, ssh and so on work perfecty.

My problems are:

1) can every roadwarrior pings each other? I mean... we suppose that two roadwarriors are connected to the VPN and their IPs are: 10.0.9.2 and 10.0.9.3 The .2 doesn't ping .3 and viceversa. Is there a way to do that?

2) In this situation, it's impossible to move the firewall because of the big dimension of the inside network of the uni, I can't connect it behind the router but only in one of the switches. So his outside interface must be 172.17.x.x. The question is... is there a way, using this scenario, to access via VPN to 172.17.x.x instead of the 10.0.0.x??

Thanks for all!

3 Replies 3

jackko
Level 7
Level 7

1. pix v6.x has a restriction, which doesn't allow the pix to redirect/reroute the traffic coming from one interface back to the same interface. e.g. 10.0.9.2 sends a packet to 10.0.9.3. the packet arrives at the outside interface of the pix and for the pix to send this packet to 10.0.9.3, the pix will have to reroute the packet back to the outside interface. unfortunately pix v6.x doesn't work like this. one workaround is to upgrade your pix to v7

2. since the pix is protecting 10.0.0.x not 172.17.x.x, it's not feasible for the pix to provide vpn access to a network that is outside the pix. one workaround is to setup a terminal server at 10.0.0.x. when roadwarrior connects to 10.0.0.x via vpn, he/she can establish a terminal session to the server (ip: 10.0.0.x), then from the server he/she will be able to access 172.17.x.x.

Really really really clear! Thank you very much!

you're welcome

would you please rate the post?

according to cisco:

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: