06-17-2007 12:17 AM - edited 02-21-2020 03:06 PM
Hi,
I notice the default GW for VPN clients when connecting is the client's interface iteself. I am just wondering how would he be able to access other VLANs in the network?
R/ Haitham
06-18-2007 05:30 AM
Hi,
It is very easy. When you connect to your site
through VPN client, it depends on policy you
configured on PIX which routes will be pushed
to your interface on PC and than to your site and which not. If you configure all routes
0.0.0.0 0.0.0.0 to be directed through VPN interface you will not be able to connect to other site.
BR.
jl
06-18-2007 07:15 AM
Hi,
Can you please assist with an example?
Thanks,
Haitham
06-18-2007 11:45 AM
Hi Haitham
It's a bit like having a route on a router that instead of using the next hop IP address uses an outgoing interface instead.
So your default-gateway for the VPN client is the outgoing interface with IP address of the client end of the VPN tunnel. So all traffic no matter which subnet it is destined for will be sent down the tunnel.
Hope this makes sense
Jon
09-12-2007 10:44 AM
Hello Jon,
I know this post was a while back, but like a good little boy I searched for my problem before starting a new post. :)
I had the same question Haitham did about why my VPN clients get their own IP set as their default GW. You answered that question... thanks! I still have another question though:
My ASA 5520 (which is what my remote clients VPN into) is connected on the inside interface to a VLAN network. I have a Cisco 6500 managing and routing this VLAN and others. When I connect in with my VPN client, I get assigned an IP address from the VLAN network that the ASA is connected to, but I cannot get to anything on that network or on any of my other VLAN networks. However, if I ssh into my ASA, I can ping anything on the ASA's inside network and other VLAN networks. Any idea why this is happening? I have static routes configured in the ASA for all of my other VLANs that point to the gateway of the ASA's inside network.
Thanks! -- BTR
09-12-2007 11:40 PM
Hi
Try to double check that nat0 is properly configured, and that you have nat traversal enabled on the FW (isakmp nat-t)
hope this helps,
Shadi`
06-19-2007 02:11 AM
Hi Haitham,
Like mentioned before the routes pushed through the tunnel will depend on the policies configured.
However, to have the client capable of communicating to other vlans (or the local LAN) you will need to configure split tunneling.
configuring split tunneling will slightly vary depending on the software version of the VPN server.
below I am listing how to configure it on the PIX FW version 6.x and version 7.x as well:
version 7.x:
version 6.x:
Use the following command when configuring VPN
vpngroup groupname split-tunnel
where specifying in the access-list all the traffic that you would like to pass through the tunnel, all other traffic not specified in the access-list will pass in the clear.
I hope that the above will be of assistance to you on this.
note that the GW of the tunneled traffic will remain pointing to the interface :)
K.Regards,
Shadi`
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide