04-05-2009 10:47 PM - edited 03-11-2019 08:15 AM
My internal networks are 192.168.2.0/24 and 192.168.4.0/24 and are behind a 2811 router. Between 2811 and PIX I use network 10.10.10.8/30. Now I want to use some 192.168.5.0 addresses for a remote access pool, defined on the PIX. When I connect with Cisco VNP client (192.168.5.1) the tunnel comes up but I'm not able to access my internal network. Does anyone know what's wrong?
Solved! Go to Solution.
 
					
				
		
04-06-2009 02:14 AM
Hi,
Perhaps it is to do with NAT? Try adding the following on the PIX
isakmp nat-traversal
Is this a new client VPN setup or is it a change to an existing setup? Have you tried running some debug or packet capture on the PIX to see what is happening? Are the packets arriving at the PIX in the first place?
Regards
 
					
				
		
04-06-2009 12:31 AM
Hi,
Maybe a bit obvious, but do you have a route for the 192.168.5.0/24 network on the 2811 router pointing towards the PIX or is this covered by a default route?
If you post your config of the PIX and 2811 then it may help.
regards
04-06-2009 01:16 AM
 
					
				
		
04-06-2009 02:14 AM
Hi,
Perhaps it is to do with NAT? Try adding the following on the PIX
isakmp nat-traversal
Is this a new client VPN setup or is it a change to an existing setup? Have you tried running some debug or packet capture on the PIX to see what is happening? Are the packets arriving at the PIX in the first place?
Regards
04-08-2009 10:44 AM
Hi, seems that command did the trick. Thanks...
I'm now able to get into the network and reach all machines. The only challenge
there is right now is to get my incoming ACS downloadable ACL working. Maybe you are experienced with this combination: PIX605E 6.3(5) - ACS 4.1(1) Build 23 Patch 5. This is my list:
permit ip host 192.168.4.200 any
deny ip any any
I'm still able to ping other machines in subnet 4 from source address 192.168.5.1
Do you have an idea?
Regards, Peter
 
					
				
		
04-08-2009 11:45 PM
Hi,
Thanks for the rating. Sorry I'm not sure about the downloadable ACL. However I did see this after a quick search
You will probably get more responses if you post this as a new question (as this thread is marked solved).
Regards
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide