Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
0
Helpful
2
Replies

Can't access other subnets once connected

dkim777oig
Level 1
Level 1

‎05-02-2008 07:10 AM

I have client vpn setup on PIX 8.03 with ADSM6 and NAT-T is enabled.

This pix is used for VPN only and and all IPs are public except for client who is behind home NAT device.

once connected I can only access other machines that are in same subnet as the vpn pool.

outside ip 1.0.1.5 gateway 1.0.1.1

inside ip 1.0.2.5 gateway 1.0.2.1

but inside net's default gateway can't be on PIX since only one is allowed.

It's kinda hard to explain the topology without drawing a picture but both inside and outside network has it's own default gateway, and PIX is just a host in both networks.

so my guess is once client connects to pix via 1.0.1.5 and issuses an ip address of 1.0.2.100 for client.

and traffic to same subnet is fine, but when it tries to go out it it will fail.

any ideas?

Thanks

Labels:
0 Helpful
2 Replies 2

JORGE RODRIGUEZ
Level 10
Level 10

‎05-02-2008 07:25 AM

so my guess is once client connects to pix via 1.0.1.5 and issuses an ip address of 1.0.2.100 for client.

and traffic to same subnet is fine, but when it tries to go out it it will fail.

When it tries to go out to where? outbound internet? is so

asa(config)#same-security-traffic permit intra-interface

pat VPN spool subnet for outbound internet

nat (outside) 1 1.0.2.0

If you are refering to another network behind the asa other than the inside interface or outbound internet for vpn pool,then create acl to allow vpn pool subnet to whatever subnet behind asa that you are trying vpn pool network to get to as long asa does have a route to get to them refer to this thread.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cc0645a/0#selected_message

HTH

Rgds

Jorge

Jorge Rodriguez
0 Helpful

acomiskey
Level 10
Level 10

‎05-02-2008 07:31 AM

My first suggestion would be to not use the same subnet for you vpn clients as you use for your inside pix network. Make vpn client subnet 1.0.3.0 for example. Then put a route on your inside router for this new network towards the pix.

ip route 1.0.3.0 255.255.255.0 1.0.2.5

0 Helpful
Customers Also Viewed These Support Documents