cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
393
Views
0
Helpful
1
Replies

VPN-Concentrator+PIX on local LAN -> clients can't reach local servers

ewald.jenisch
Level 1
Level 1

Hi,

I've got a problem wrt. remote-access clients coming in via a VPN3000 concentrator and trying to access local Servers.

For the topology:

The internal network is 10.0.1.0/24. It connects to the outside world as well as to the DMZs via a PIX; the PIX has 10.0.1.1 in the internal network.

On the same (internal) LAN I've got the VPN-concentrator with the inside-address 10.0.1.5. It assigns addresses in the range 10.0.100.0/24 to the

VPN client-PCs.

I can sucessfully connect using the VPN client-SW to the concentrator, i.e. the remote-access-clients get addresses out

of the 10.0.100.0/24 range.

The problem: Access from the VPN-clients to the internal network is *not* possible; for example a client with 10.0.100.1 can't connect to

internal server 10.0.1.28.

To my understanding this is a routing problem since the Server (10.0.1.28) has no idea on how to reach the clients in

10.0.100.0/24. The only thing the server has is a static default route pointing to the PIX, i.e. 10.0.1.1.

So I set up a static route on the PIX for 10.0.100.0 pointing towards the VPN-Concentrator, i.e.

route mylan 10.0.100.0 255.255.255.0 10.0.1.5 1

This didn't solve my problem however.

In the PIX logs I see entries like the following:

%PIX-3-106011: Deny inbound (No xlate) tcp src intern:10.0.1.28 (atlas) /445 dst intern:10.0.100.1 (unresolved) /1064

So the PIX seems to drop the return-packets, i.e. the traffic from the server back to the client

To my understanding the problem seems to be:

Traffic runs VPN-client -> VPN-Concentrator -> Server -> PIX - where it gets dropped.

My reasoning behind: The PIX only sees the return-packet, i.e. the packet going back from the server towards the client - and hence drops the

packet because it hasn't seen the packet coming from the client to the server.

So here are my questions:

o) How do I set up the PIX so that I get connectivity between my remote VPN-clients (10.0.100.0/24) and

the servers/machines on the local LAN (10.0.1.0/24)?

o) Has anybody else got something like this going?

PS: Please note that the obvious first idea, installing static routes on every machine on the local LAN is not an option here.

Thanks alot in advance for your help,

-ewald

1 Accepted Solution

Accepted Solutions

maraz
Level 1
Level 1

Hello, Since the PIX can not route traffic on the same interface (prior to version 7.0 anyway) I suggest you either place your concentrator on the outside with the inside leg on a DMZ or (if you can not do a network redesign) you delete your pool with 10.0.100.0-addresses and create a pool with 10.0.1.0-adresses that is a part of the inside address-space. NOT all of it. Reserve a bit that is not used inside.

Best Regards

Robert Maras

View solution in original post

1 Reply 1

maraz
Level 1
Level 1

Hello, Since the PIX can not route traffic on the same interface (prior to version 7.0 anyway) I suggest you either place your concentrator on the outside with the inside leg on a DMZ or (if you can not do a network redesign) you delete your pool with 10.0.100.0-addresses and create a pool with 10.0.1.0-adresses that is a part of the inside address-space. NOT all of it. Reserve a bit that is not used inside.

Best Regards

Robert Maras

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: