04-05-2005 10:38 AM - edited 03-09-2019 10:51 AM
Hi,
I have a PPTP remote access VPN on a PIX 515E and was wondering if it is possible to send static routes to clients.
My problem is that I have my internal network and a DMZ. When a client connects to the VPN, he gets assigned an address ranging from the internal network. When I try to access my dmz, which is on another network, the client obviously doesn't know how to reach that network unless I manually type in the DMZ network in the client's static routes.
So it is like this:
VPN addr range: 192.168.1.48/28
Internal network: 192.168.1.0/24
DMZ network: 192.168.2.0/24
On a windows client, unless I do "route add 192.168.2.0 mask 255.255.255.0 <vpn ip>", it doesn't know how to get to the DMZ network.
Is there a way I can send static routes or configure my pix in some way so that I don't have to type that route every time?
04-06-2005 01:34 AM
Hello paradis,
strange.. i dont think u need to add any routes on the client .. once u get connected to the pix , and get an ip, which is on the same network as the inside, it only requires for the pix to know how to reach the dmz servers.. the client will just put on all packets on the ipsec tunnel..
cross check it and let us know.. what is the normal default gw of the windows client ? hope all the traffic goes through the tunnel... let us know
Raj
04-06-2005 12:16 PM
The default gateway wasn't correct, but this was intentional: I checked an option in the advanced tcp/ip properties of the vpn connection. This option allowed the non-vpn traffic to go through my isp gateway and not the vpn gateway.
If I uncheck the option, I can easily reach the DMZ without adding a static route, but now I can't go on the Internet, as everything is forwarded to the vpn tunnel.
Would split tunneling fix this problem?
04-06-2005 09:18 PM
Hi paradis,
split tunneling will surely fix the problem of internet access, when on vpn.. this works perfectly well with ipsec, but really not sure if pptp has this option.. therez no configuration on pix which can be used to enable split tunneling on pix.. why dont you ask the user to go for a ipsec client ? you will also be benefitted by the encryption and authentication features of ipsec...
have a look at this url and see if this helps..
http://www.experts-exchange.com/Security/Firewalls/Q_21300201.html
let us know if you need any more assistance.. rate replies if found useful.
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide