01-18-2008 07:32 AM - edited 03-05-2019 08:33 PM
Hello,
I have attached the config for our PIX firewall. Any tips would be appriciated.
The problem I am having is with remote clinets and the vpngroup setup on the PIX. When a client vpn's to the PIX using the vpngroup login and password, they are assigned a 192.168.99.xx IP address. The internal IP subnet for all devices behind the PIX is 192.168.0.xxx. The VPN clinets can access all devices on the 192.168.0.xx subnet, but I need to be able to allow the clinets to access other devices on our network that are outside the PIX. Example, I have several nodes that are assigned 192.168.20.xxx IP address that are outside the PIX. None of the vpngroup clients can access this subnet or any other subnet besides the internal PIX block. From any device or server behind the PIX with a 192.168.0.xx IP, I can access everything just fine.
Also, when using the Cisco PIX client, I have noticed that the machine that is VPN to the PIX, is not using the PIX as the default gateway to the outside world. Outside traffic is still routed over the clinets primary internet connection. I need to have all traffic route through the PIX. Is this possible?
Thanks,
Jesse
01-18-2008 07:33 AM
01-18-2008 08:25 AM
You current configuration has split tunnel configured and you are permitting the clients to access only 192.168.0.0/24 network. If you want to allow clients to access additional networks, please do add the appropriate networks to the split tunnel and nonat statements. Also, make sure that your internal networks knows that they need to route the packets to the pix for traffic destined to 192.168.99.0/24, the pool of ip addresses for the VPN Clients.
vpngroup vpn3000-all split-tunnel nonat
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.99.0 255.255.255.0
Since you have split tunnel configured, all networks configured under split tunnel will e routed to the pix and all other traffic will follow the clients internet connection.
Now, to answer your second part of the questions, if you disable split tunnel and tunnel all traffic to the pix, then you need 7.x code or higher on the pix to support what is called intra-interface and send the traffic to the internet and your LAN. Please refer the below URL for details:
In your case, if you cannot upgrade to 7.x, then you need another router or firewall in your network that directs traffic for the VPN Client Pool.
Let me know if it helps.
Regards,
Arul
* Please rate if it helps *
01-18-2008 11:35 AM
Hello,
I added the following to my nonat list:
access-list nonat permit ip 192.169.20.0 255.255.255.0 192.168.99.0 255.255.255.0
I also, created a route pointing 192.168.99.0 network to the outside interface of my pix. I still can not reach anything. I do not think the outside interface is allowing the replies to the 192.168.99.0 network to pass.
J
01-18-2008 11:46 AM
Couple of things:
1. Is it 192.169.20.0 or 192.168.20.0. I guess thats a typo.
2. If it is 192.169.20.0, Did you have the VPN Client disconnect and connect again to see if the split tunnels are passed on correctly.
2. Does the 192.169.20.0/24 know that they need to route the packets destined for 192.168.99.0 to the pix.
3. Can you also post the outputs of "show crypto ipsec sa" when you are not able to ping the 192.169.20.0.
4. Also, dont remember to do a clear xlate after making the changes.
Regards,
Arul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide