Solved: Can't Access Subnet When VPN'd In

Thomas Reiling · ‎05-02-2011

When I vpn into our network it gives me an ip address within the range: 192.168.200.1 - 192.168.200.50.

The following access works when vpn'd in: 192.168.200.x -> 10.2.28.x

The following access does not work when vpn'd in: 192.168.200.x -> 192.168.50.x

Can someone please let me know what I need to have in the PIX config to make this work?

Thank you,

Thomas

Yudong Wu · ‎05-03-2011

1. Add 192.168.50.0 to your split tunnel acl

access-list remotevpnbhc_splitTunnelAcl permit ip 192.168.50.0 255.255.252.0 any

2. add the traffic between 192.168.50.0 and vpn client to ACL which is used by NAT 0

access-list vpn_insideacl permit ip 192.16.50.0 255.255.252.0 192.168.200.0 255.255.255.0

View solution in original post

Yudong Wu · ‎05-02-2011

In general

1) nat bypass for traffic 192.168.200.x -> 192.168.50.x, make sure this traffic is included in ACL which is used by nat 0 command.

2) check routing

3) if using split-tunnel, make sure 192.168.50.x is included in split tunnel acl.

Thomas Reiling · ‎05-03-2011

Yudong,

Thank you for the quick response. I have attached a scrubbed version of our config. Can you please take a quick look and see if anything missing is obvious?

Thanks again,

Thomas

Yudong Wu · ‎05-03-2011

1. Add 192.168.50.0 to your split tunnel acl

access-list remotevpnbhc_splitTunnelAcl permit ip 192.168.50.0 255.255.252.0 any

2. add the traffic between 192.168.50.0 and vpn client to ACL which is used by NAT 0

access-list vpn_insideacl permit ip 192.16.50.0 255.255.252.0 192.168.200.0 255.255.255.0

Thomas Reiling · ‎05-03-2011

Yudong,

Thank you very much. Your suggestion worked! All I had to do after adding your lines was to add the route.

Also, for the 192.168.50.0 network I had to use a subnet a 255.255.255.0 instead of 255.255.252.0.

Thank again!

Thomas