PIX 500 + CVPN client + NATed, routed Network ?

scheppiii · ‎04-12-2005

Hello together.

I read through this forum, but i did not find a questtion that matches my problem, so I start a new thread.

I am local LAN Administrator for our office. Now the network provider sold a Cisco PIX and a couple of CVPN client Software packages to my boss an I am asked to make it run. Intention is that some colleagues will have to be able to work from home like they were in the office.

Now I have the following setup:

office LAN 192.168.1.0/24

office Firewall 192.168.1.1 (internal)

office Firewall 192.168.100.10 (DMZ)

office router (PIX) 192.168.100.1 (DMZ)

office router (PIX) 84.x.x.x. (fixed IP)

I made it happen that VPN users can "dial" in from home via Internet, establish VPN connection and access all available services on the firewall via DMZ interface (http, ssh).

My Problem now is that the users cannot access the office LAN behind the firewall. I already opened up the firewall completely (we still have NET firewall in the PIX so it should not be a big deal), but still no effect. It seems the PIX does not accept any incoming traffic to other than DMZ LAN.

do you have any hints how to find the error ?

mhussein · ‎04-12-2005

Hello,

Could you post the pix configs (remember to remove sensitive info)? It would be hard to tell otherwise.

Anyway, there are a few things to look for; such as client pool subnet allocation, nat 0 statement and acl defining the translation for incoming traffic.

Regards,

Mustafa

scheppiii · ‎04-13-2005

OK, unfortunately I do not have access to the PIX as it was installed and configured by the network-provider.

Though I played around with my Firewall-Settings and I found out that routing and firewalling is correct for LAN->VPN, but the way back is not working. My Firewall does not get even any packets to be forwarded to the office LAN. So it seems they are filtered out by either PIX or local VPN client.

Furthermore I found out that I cannot change any routing/firewalling details on client side, but only on PIX side. So what do I have to add on PIX side to allow VPN useres not only to access DMZ, but also LAN ?

mhussein · ‎04-13-2005

One potential problem I can think of is the route back to the vpn client ip subnet. For example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

In this config, the vpn clients are assigned ip addresses on a different subnet; that is, clients are on 10.1.0.x while the pix inside is on 10.1.1.x subnet.

So you need to find out what subnet the clients are on, and setup the firewall accordingly. Also, on the pix, client traffic should be directed to the LAN (a route statement + crypto acl to match client to LAN traffic).

scheppiii · ‎04-13-2005

Solved !

Hi Mohammed, thanks for your hints. I had a similar idea and checked which packets are being routed and which are not. I examined the Firewall and found out that my office LAN is being routed correctly to the PIX router, but I never saw a bit coming from the VPN clients which is adressed to the office LAN. This made me concious that something in the PIX config should be wrong and i told the network provider.

Well we found out that he just configured the absolute minimum to make it run. But he forgot to configure "split" to be able to continue accessing the internet for the VPN clients while connected to the office and he was not aware of my two office subnets which should be routed through the pix.

Now it was quite easy to set up the rest and I spent about 4 houres just being sure it was not my fault.

But I am not sad that it took me so long. I learned a lot about VPN by PIX and I hopefulle will find future problems earlier.

greets & thanks,

Felix.