07-29-2005 07:59 AM
Hi,
I've got a problem wrt. remote-access clients coming in via a VPN3000 concentrator and trying to access local Servers.
For the topology:
The internal network is 10.0.1.0/24. It connects to the outside world as well as to the DMZs via a PIX; the PIX has 10.0.1.1 in the internal network.
On the same (internal) LAN I've got the VPN-concentrator with the inside-address 10.0.1.5. It assigns addresses in the range 10.0.100.0/24 to the
VPN client-PCs.
I can sucessfully connect using the VPN client-SW to the concentrator, i.e. the remote-access-clients get addresses out
of the 10.0.100.0/24 range.
The problem: Access from the VPN-clients to the internal network is *not* possible; for example a client with 10.0.100.1 can't connect to
internal server 10.0.1.28.
To my understanding this is a routing problem since the Server (10.0.1.28) has no idea on how to reach the clients in
10.0.100.0/24. The only thing the server has is a static default route pointing to the PIX, i.e. 10.0.1.1.
So I set up a static route on the PIX for 10.0.100.0 pointing towards the VPN-Concentrator, i.e.
route mylan 10.0.100.0 255.255.255.0 10.0.1.5 1
This didn't solve my problem however.
In the PIX logs I see entries like the following:
%PIX-3-106011: Deny inbound (No xlate) tcp src intern:10.0.1.28 (atlas) /445 dst intern:10.0.100.1 (unresolved) /1064
So the PIX seems to drop the return-packets, i.e. the traffic from the server back to the client
To my understanding the problem seems to be:
Traffic runs VPN-client -> VPN-Concentrator -> Server -> PIX - where it gets dropped.
My reasoning behind: The PIX only sees the return-packet, i.e. the packet going back from the server towards the client - and hence drops the
packet because it hasn't seen the packet coming from the client to the server.
So here are my questions:
o) How do I set up the PIX so that I get connectivity between my remote VPN-clients (10.0.100.0/24) and
the servers/machines on the local LAN (10.0.1.0/24)?
o) Has anybody else got something like this going?
PS: Please note that the obvious first idea, installing static routes on every machine on the local LAN is not an option here.
Thanks alot in advance for your help,
-ewald
Solved! Go to Solution.
08-03-2005 04:05 AM
Hello, Since the PIX can not route traffic on the same interface (prior to version 7.0 anyway) I suggest you either place your concentrator on the outside with the inside leg on a DMZ or (if you can not do a network redesign) you delete your pool with 10.0.100.0-addresses and create a pool with 10.0.1.0-adresses that is a part of the inside address-space. NOT all of it. Reserve a bit that is not used inside.
Best Regards
Robert Maras
08-03-2005 04:05 AM
Hello, Since the PIX can not route traffic on the same interface (prior to version 7.0 anyway) I suggest you either place your concentrator on the outside with the inside leg on a DMZ or (if you can not do a network redesign) you delete your pool with 10.0.100.0-addresses and create a pool with 10.0.1.0-adresses that is a part of the inside address-space. NOT all of it. Reserve a bit that is not used inside.
Best Regards
Robert Maras
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: