The pix has his outside interface connected to the internal lan of the uni and it's "natted" to a public IP...
I use Cisco VPN Client and I correctly connect to the VPN with IPSec support... the roadwarrior obtains a private IP in the pool 10.0.9.x and everything works fine with the net inside of the pix (the 10.0.0.x's): so the ping, http, ftp, ssh and so on work perfecty.
My problems are:
1) can every roadwarrior pings each other? I mean... we suppose that two roadwarriors are connected to the VPN and their IPs are: 10.0.9.2 and 10.0.9.3 The .2 doesn't ping .3 and viceversa. Is there a way to do that?
2) In this situation, it's impossible to move the firewall because of the big dimension of the inside network of the uni, I can't connect it behind the router but only in one of the switches. So his outside interface must be 172.17.x.x. The question is... is there a way, using this scenario, to access via VPN to 172.17.x.x instead of the 10.0.0.x??
1. pix v6.x has a restriction, which doesn't allow the pix to redirect/reroute the traffic coming from one interface back to the same interface. e.g. 10.0.9.2 sends a packet to 10.0.9.3. the packet arrives at the outside interface of the pix and for the pix to send this packet to 10.0.9.3, the pix will have to reroute the packet back to the outside interface. unfortunately pix v6.x doesn't work like this. one workaround is to upgrade your pix to v7
2. since the pix is protecting 10.0.0.x not 172.17.x.x, it's not feasible for the pix to provide vpn access to a network that is outside the pix. one workaround is to setup a terminal server at 10.0.0.x. when roadwarrior connects to 10.0.0.x via vpn, he/she can establish a terminal session to the server (ip: 10.0.0.x), then from the server he/she will be able to access 172.17.x.x.
If you see a post that you think deserves recognition, please take a moment to rate it.
You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...