Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
5
Helpful
4
Replies

Same network on both sides of a remote access VPN

Doug Anderson
Level 1
Level 1

‎11-06-2008 04:26 PM - edited ‎03-11-2019 07:09 AM

I inherited a remote access VPN problem that I'm not sure how to resolve.

I have a PIX 506E with a LAN address of 192.168.1.1/24. It is the default gateway for that LAN. I've configured remote access VPN so that clients authenticate locally to the PIX. This works fine except for users who have 192.168.1.0/24 configured at their home. They connect just fine, but cannot access LAN resources behind the PIX. What suggestions would you offer me?

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎11-07-2008 06:19 AM

We use a network that home users will probably never have, something like 10.255.255.0 /24. You could also use a public address space, but you have to be careful of it being publicly routable or not.

Hope that helps.

0 Helpful

Doug Anderson
Level 1
Level 1
In response to Collin Clark

‎11-07-2008 06:22 AM

I agree this is the best answer, but I cannot implement that now and have to provide an interim solution.

Any assistance is greatly appreciately.

0 Helpful

SOL10
Level 1
Level 1
In response to Collin Clark

‎11-07-2008 06:24 AM

If you have configure RAVPN, then what you could do is create a pool of IP on a diff subnet (192.16.10.0/24) and create accesslists for that network to go to 192.168.1.0

e.g

ip local pool RA_POOL 192.168.10.1 -192.168.10.19 255.255.255.255

access-list outside_cryptomap_65534 permit ip host 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

HTH and please rate if useful

0 Helpful

Alan Huseyin Kayahan
Level 7
Level 7
In response to SOL10

‎11-07-2008 12:51 PM

Hello Doug,

Here is an interim solution

Lets assume that 172.16.20.0/24 is your VPN pool,

access-list Pnat permit ip 192.168.1.0 255.255.255.0 172.16.20.0 255.255.255.0

static (inside,outside) 10.255.255.0 access-list Pnat

add 10.255.255.0/24 to your split-tunnel ACL and remove 192.168.1.0/24

Remove the ACE permit ip 192.168.1.0 255.255.255.0 to vpnpool from NAT 0 ACL

Now VPN clients can connect the inside clients on same host portion but 10.255.255 subnet portion IP address. Lets say that you have a server in inside with IP 192.168.1.30, now you can connect that server from RA VPN client as 10.255.255.30

If didnt work, post your config and let me modify

Regards

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card