cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
672
Views
5
Helpful
4
Replies

Same network on both sides of a remote access VPN

Doug Anderson
Level 1
Level 1

I inherited a remote access VPN problem that I'm not sure how to resolve.

I have a PIX 506E with a LAN address of 192.168.1.1/24. It is the default gateway for that LAN. I've configured remote access VPN so that clients authenticate locally to the PIX. This works fine except for users who have 192.168.1.0/24 configured at their home. They connect just fine, but cannot access LAN resources behind the PIX. What suggestions would you offer me?

Thanks in advance.

4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

We use a network that home users will probably never have, something like 10.255.255.0 /24. You could also use a public address space, but you have to be careful of it being publicly routable or not.

Hope that helps.

I agree this is the best answer, but I cannot implement that now and have to provide an interim solution.

Any assistance is greatly appreciately.

If you have configure RAVPN, then what you could do is create a pool of IP on a diff subnet (192.16.10.0/24) and create accesslists for that network to go to 192.168.1.0

e.g

ip local pool RA_POOL 192.168.10.1 -192.168.10.19 255.255.255.255

access-list outside_cryptomap_65534 permit ip host 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

HTH and please rate if useful

Hello Doug,

Here is an interim solution

Lets assume that 172.16.20.0/24 is your VPN pool,

access-list Pnat permit ip 192.168.1.0 255.255.255.0 172.16.20.0 255.255.255.0

static (inside,outside) 10.255.255.0 access-list Pnat

add 10.255.255.0/24 to your split-tunnel ACL and remove 192.168.1.0/24

Remove the ACE permit ip 192.168.1.0 255.255.255.0 to vpnpool from NAT 0 ACL

Now VPN clients can connect the inside clients on same host portion but 10.255.255 subnet portion IP address. Lets say that you have a server in inside with IP 192.168.1.30, now you can connect that server from RA VPN client as 10.255.255.30

If didnt work, post your config and let me modify

Regards

Review Cisco Networking for a $25 gift card