Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1140
Views
0
Helpful
2
Replies

Easy question! VPN between PIX and cisco vpn client

leeann
Level 1
Level 1

‎06-03-2003 08:11 PM - edited ‎02-20-2020 10:46 PM

hi!

easy question i'm sure!

I have a pix firewall in front of a small network of 10.0.0.X ip's

i have set up pix so that people connecting via vpn client are assigned 172.16.1.X addresses

I can connect and all seems well, except that I cannot ping on connect to any 10.0.0.X machines inside the network, because I am allocated a 172.16.1.X address

2 questions:

1) why can i not just assign my remote clients address on the same subnet as my internal network? 10.0.0.200-210 or something?

2) i understand WHY this doesn't work - i would normally need a box with 2 interfaces, one on each subnet to act as the gateway - but how does this work on the vpn with the pix? is the pix the "virtual gateway"?

thanks for any help!

0 Helpful
2 Replies 2

hadbou
Level 5
Level 5

‎06-10-2003 07:00 AM

This is how it should be configured, I think you must have missed a access list taht allows the resource access to these IP address. Use the example given below to write your own ACL

access-list 108 permit ip 10.31.1.0 255.255.255.0 172.16.1.0 255.255.255.0

0 Helpful

lino
Level 1
Level 1

‎04-16-2004 06:38 AM

1) You can assign addresses from a local network. Just mind that the pix doesn't sends the netmask to the clients, the clients assume the classfull netmask of the address. In your case (LAN 10.0.0.X) the clients would assume a 255.0.0.0 netmask instead of a 255.255.255.0

So, if your LAN is compliant with classfull addresses, you'll be fine with a pool from the same network. Otherwise you'll have problems and it's better to assign a pool with classfull addresses (like 192.168.1.X).

Don't forget that if your client is in a different network, you should tell the LAN machines the new route to that network. If your machines have a default gateway, it must know the route to that new network. If the pix is the default gateway of your LAN and also the tunnels endpoint, there will be no problem.

2) Well, kind of :) The way the pix does this is by making the MAC address associated with the addresses on the VPN Client pool the same as his local interface MAC address. This way the pix will be the "L2 default gateway" to all the pool addresses.

Hope this makes some sense :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card