cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
295
Views
0
Helpful
2
Replies

Having problems with VPN routing and a 501 Pix

Arioch_dm
Level 1
Level 1

Im trying to setup a 501 Pix to allow clients to VPN into the unit. I have been successful to some extent with this but one thing I keep having problems with is being able to access systems on the inside network. It seems to be a routing problem and/or possibly an ACL issue but I cant seem to get past it. Any help is appreciated.

Laptop (XP)-----Lan (100.100.100.0)-----Pix----Inside Network (192.168.1.0)

If I make my VPN address pool 192.168.1.200-240 so that it has the same addressing scheme as the inside network then I can ping, remote desktop, etc to any of the 192.168.1.x systems in the inside network via VPN. But I don?t want to use a VPN pool that is on the same subnet because it gobbles up connections that I need for the inside network.

So what I need is to change my VPN address pool to something different and then get the Pix to route the information from the new VPN subnet to the 192.168.1.0 subnet.

My inside network is using a 255.255.254.0 subnet mask instead of 255.255.255.0

I don?t care about encryption or security for what I am doing so I am using win xp default VPN client with only PPTP (no encryption or authentication schemes).

Im also wanting the clients to be able to see both the 100.100.100.0 subnet and the 192.168.1.0 subnet at the same time while using their VPN connection. On the windows VPN client you can do this by unchecking the ?use default gateway on remote network?. There maybe other options to get the same result but that is what I am currently using. I am assuming that it might be possible with that kind of setup to make it work that I might need to mess with the routing table on the client system so that any traffic destined for 192.168.1.0 gets forced to the VPN connection. Im not married to the idea of doing it this way, its just the only way I know how using the setup I have.

Any suggestions would be GREATLY appreciated.

Thanks,

David

2 Replies 2

Wilson Samuel
Level 7
Level 7

>If I make my VPN address pool 192.168.1.200-240 so >that it has the same addressing scheme as the >inside network then I can ping, remote desktop, etc >to any of the 192.168.1.x systems in the inside >network via VPN. But I don?t want to use a VPN pool >that is on the same subnet because it gobbles up >connections that I need for the inside network.

Hi,

If this is all you want, then why enter into such complications, simply use a DHCP Server for your Inside Network and exclude the addresses that you would assign to the VPN clients.

Also, if you could paste the config it would be much easier to look for a solution.

Kind Regards,

Wilson Samuel

nefkensp
Level 5
Level 5

It is very easy to use a different pool, but remember that you need to change the "nat 0" access-list to define that traffic from the inside network to the vpn clients should not be nat'ed. E.g.

access-list nonat permit ip 192.168.1.0 255.255.254.0

With regards to disabling the "default gateway" on the PPTP Client, I found out that the Microsoft VPN client does not listen to the netmask that is being sent from the PIX to the PPTP client (in PIX 6.3 you can specify a netmask on an ip pool).

Instead, microsoft defines the route based on the class too which the network belongs; e.g. if the pool ip-range is 192.168, the netmask is defaulted to a class C network, while the netmask is defaulted to a class B (255.255.0.0) if the ip-address received is in the range 172.29, etc..

There is a solution for it, which I've used at some customers that needed split-tunneling (that's what you're looking for) based upon the Microsoft PPTP Client.

Basically instead of letting the user start the dialup connection themselves,they start a batch file that calls out for the VPN connection and then adds the routes for the networks that need to be tunneled.

I've attached a sample script file that does that job

Hope this helps.