Cisco Support Community
Community Member

Roadwarrior and VPN access

Hi everybody! I need some help:

I have to realize a thing like this:

The conf is here:

The pix has his outside interface connected to the internal lan of the uni and it's "natted" to a public IP...

I use Cisco VPN Client and I correctly connect to the VPN with IPSec support... the roadwarrior obtains a private IP in the pool 10.0.9.x and everything works fine with the net inside of the pix (the 10.0.0.x's): so the ping, http, ftp, ssh and so on work perfecty.

My problems are:

1) can every roadwarrior pings each other? I mean... we suppose that two roadwarriors are connected to the VPN and their IPs are: and The .2 doesn't ping .3 and viceversa. Is there a way to do that?

2) In this situation, it's impossible to move the firewall because of the big dimension of the inside network of the uni, I can't connect it behind the router but only in one of the switches. So his outside interface must be 172.17.x.x. The question is... is there a way, using this scenario, to access via VPN to 172.17.x.x instead of the 10.0.0.x??

Thanks for all!


Re: Roadwarrior and VPN access

1. pix v6.x has a restriction, which doesn't allow the pix to redirect/reroute the traffic coming from one interface back to the same interface. e.g. sends a packet to the packet arrives at the outside interface of the pix and for the pix to send this packet to, the pix will have to reroute the packet back to the outside interface. unfortunately pix v6.x doesn't work like this. one workaround is to upgrade your pix to v7

2. since the pix is protecting 10.0.0.x not 172.17.x.x, it's not feasible for the pix to provide vpn access to a network that is outside the pix. one workaround is to setup a terminal server at 10.0.0.x. when roadwarrior connects to 10.0.0.x via vpn, he/she can establish a terminal session to the server (ip: 10.0.0.x), then from the server he/she will be able to access 172.17.x.x.

Community Member

Re: Roadwarrior and VPN access

Really really really clear! Thank you very much!


Re: Roadwarrior and VPN access

you're welcome

would you please rate the post?

according to cisco:

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.

CreatePlease to create content