cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
523
Views
0
Helpful
5
Replies

Routing local addresspool for IPsec issue on PIX506E

pverstegen
Level 1
Level 1

My internal networks are 192.168.2.0/24 and 192.168.4.0/24 and are behind a 2811 router. Between 2811 and PIX I use network 10.10.10.8/30. Now I want to use some 192.168.5.0 addresses for a remote access pool, defined on the PIX. When I connect with Cisco VNP client (192.168.5.1) the tunnel comes up but I'm not able to access my internal network. Does anyone know what's wrong?

1 Accepted Solution

Accepted Solutions

Hi,

Perhaps it is to do with NAT? Try adding the following on the PIX

isakmp nat-traversal

Is this a new client VPN setup or is it a change to an existing setup? Have you tried running some debug or packet capture on the PIX to see what is happening? Are the packets arriving at the PIX in the first place?

Regards

View solution in original post

5 Replies 5

JamesLuther
Level 3
Level 3

Hi,

Maybe a bit obvious, but do you have a route for the 192.168.5.0/24 network on the 2811 router pointing towards the PIX or is this covered by a default route?

If you post your config of the PIX and 2811 then it may help.

regards

Hi James,

I think this is covered by the default route.

Please find attached my configs.

Best regards,

Peter

Hi,

Perhaps it is to do with NAT? Try adding the following on the PIX

isakmp nat-traversal

Is this a new client VPN setup or is it a change to an existing setup? Have you tried running some debug or packet capture on the PIX to see what is happening? Are the packets arriving at the PIX in the first place?

Regards

Hi, seems that command did the trick. Thanks...

I'm now able to get into the network and reach all machines. The only challenge

there is right now is to get my incoming ACS downloadable ACL working. Maybe you are experienced with this combination: PIX605E 6.3(5) - ACS 4.1(1) Build 23 Patch 5. This is my list:

permit ip host 192.168.4.200 any

deny ip any any

I'm still able to ping other machines in subnet 4 from source address 192.168.5.1

Do you have an idea?

Regards, Peter

Hi,

Thanks for the rating. Sorry I'm not sure about the downloadable ACL. However I did see this after a quick search

http://supportwiki.cisco.com/ViewWiki/index.php/Downloadable_ACLs_configured_on_the_Cisco_Secure_ACS_version_4.0_for_Windows_are_unable_to_restrict_access_for_Cisco_VPN_Clients_that_terminate_on_the_PIX_Firewall

You will probably get more responses if you post this as a new question (as this thread is marked solved).

Regards

Review Cisco Networking for a $25 gift card