Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
0
Helpful
8
Replies

Can login to VPN session but can't access network.

mcoxtstna
Level 1
Level 1

‎01-16-2012 07:05 AM

I have been having this problem for about a month now. We are using a PIX 515E as our VPN device. This has been in place for years but last month something must have changed that won't allow me to access the network from a VPN connection.

I can login to the VPN from a remote location, however I cannot ping anything on the local network or access any devices. Our local network IP scheme is 10.6.x.x. The IP address given from the PIX for a VPN session is the in the 10.6.5.x range. Our subnet is 255.255.0.0.

Can anyone give me help as to what to look at to fix it? I haven't worked with a VPN or PIX before.

Labels:
0 Helpful
8 Replies 8

mcoxtstna
Level 1
Level 1

‎01-16-2012 07:11 AM

The DHCP from the VPN are from the 255.255.255.0 subnet.

The access statement I have found is this: access-list nonat extended permit ip 10.6.0.0 255.255.0.0 10.6.5.0 255.255.255.0

0 Helpful

ajay chauhan
Level 7
Level 7
In response to mcoxtstna

‎01-16-2012 07:34 AM

HI Matt,

/16 is big range and 10.6.5.0/24 will be covered under that. Please change the IP range for VPN pool and this will solve your issue. Inside range and VPN pool should not be in same range.

Thanks

Ajay

0 Helpful

mcoxtstna
Level 1
Level 1
In response to ajay chauhan

‎01-16-2012 07:44 AM

Thanks for the answer. So what should I change the IP range to?

0 Helpful

ajay chauhan
Level 7
Level 7
In response to mcoxtstna

‎01-16-2012 09:02 AM

Hi Matt,

It can be any range for ex. 192.168.10.0/24 but should not fall same as LAN network configured on ASA.

Thanks

Ajay

0 Helpful

rizwanr74
Level 7
Level 7
In response to mcoxtstna

‎01-16-2012 07:45 AM

Please make sure this accee-list is still applied for no-nat as follows...

nat (inside) 0 access-list nonat

Also please make sure, there is a static route on your local network forwarding the (VPN DHCP scope) traffic to firewall inside interface.

let me know the results.

thanks

Rizwan Rafeek

0 Helpful

mcoxtstna
Level 1
Level 1
In response to rizwanr74

‎01-16-2012 10:46 AM

The PIX is directly connected to the network. Does it still need a route fowarding the VPN traffic?

0 Helpful

ajay chauhan
Level 7
Level 7
In response to mcoxtstna

‎01-16-2012 11:09 AM

Hi Matt,

I do not understand route forwarding you are relating with. However if you mean any route then not required. You just need to take care of VPN pool and NAT exempt .

Thanks

Ajay

0 Helpful

rizwanr74
Level 7
Level 7
In response to mcoxtstna

‎01-16-2012 11:09 AM

VPN traffic is located at the PIX itself (therefore you need a static route on the local inside network to push VPN traffic toward inside PIX's ip address), however if your internal network segment is only segment connected to inside interface of PIX on subnet 10.6.0.0 255.255.0.0, then you do not need a static route on the PIX to push internal traffic toward inside the network, i.e. assuming you have only segment connected to inside pix interface is on: 10.6.0.0 255.255.0.0

If you have network 10.6.0.0 255.255.0.0 is segmented in the local network (i.e. more than one subnet), then it is wise to have a static route on PIX to push all internal local segments to peering ip address of the inside interface. i.e. not the IP address on the PIX but rather peering IP address appears on the switch.

For ease of trouble shooting please post your config on the forum.

Thanks

Rizwan Rafeek

0 Helpful
Customers Also Viewed These Support Documents