cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
305
Views
0
Helpful
2
Replies

VPN3030 not proxy arping for clients

elijah.savage
Level 1
Level 1

All I am in need of help. We have a Cisco 3030 concentrator that does not proxy arp for the clients ip addresses that we give out via Cisco ACS radius.

Internet router-------Checkpoint-------3030-----ACS

That is a simple look at how it is setup. The concentrator sits on the private side of 172.29.128.0 if we have the radius box handing out 172.29.128.0 addresses to the clients everything works fine. But we do not want this, we want our clients to be given 172.31.50 address space when we do this we can vpn in but get no where. I have a sniffer in place and also doing a snoop on the checkpoint when we vpn in and get 172.31.50.1 as a client address the firewall ask via arp whois 172.31.50.1 and the concentrator does not answer up for this ip. What is strange if we put the dhcp scope back to 172.29.128.0 and the firewall ask via arp whom is 172.29.128.1 the concentrator answers for that.

Question can you give out a different dhcp address from a radius box than what is assigned to the concentrator and have this work?

2 Replies 2

edadios
Cisco Employee
Cisco Employee

Actually, even if you use intenal addess assignment and use a different pool of address to the concentrator's private subnet, you would have the same problem.

The solution here is to create static routes on the hosts behind the concentrator pushing the pool address back to the concentrator. Not proxyap.

Or if you have an internal router, you can use that as a tunnel default gateway and then add a statc route on that router sending the 172.31 back to the private ip of the concentrator.

Or if possible, default route the host behind the concentrator back to the concentrator private.

Regards,

Of course explaining one's network to someone is always a difficult thing. Anyway the concentrator sits in a DMZ of the the firewall. With the private 172.31 in a vlan with another interface off the firewall with a 172.31 ip address also. The client wants all traffic going through the firewall we could not convince them to let us connect directly to the internal network.

Right now we do have a static route on a cat5500RSM saying to get to 172.31 go to the firewall address whom is locally attached to the concentrator and the firewall routes it there. But as I stated when the firewall gets the packet on the private interface it ask via arp whom is 172.31.50.1(client address) and the concentrator doesn't answer for it. We have the tunnel default gateway pointing to the firewall.

Describing this is terribly hard :)