Re: PIX 501 VPN DHCP Problem

ld2000 · ‎06-21-2004

I used the VPN wizard on a 501to set up a test VPN group, and assigned a scope of 10 IP addys for the group. I fire up the Cisco VPN client, get authenticated, and get the first of the 10 available addresses. However, I get the wrong subnet mask. The inside interface and the inside DHCP scope both have /24 masks, but the VPN client gets a /8 mask..

20:06:52.844 06/21/04 Sev=Info/4 CM/0x63100034

The Virtual Adapter was enabled:

IP=10.x.x.x/255.0.0.0

I've gone through the wizard again, but I don't see an entry to add a subnet mask to the IP group. What have I missed? Thanks in advance

gfullage · ‎06-22-2004

You haven't missed anything, there's nowhere to set the mask. The mask that is assigned is always the classful mask, 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address and so on.

The reason for this is that generally it doesn't matter. The VPN client simply sends everything over the tunnel with its 10.x.x.x address as the source, this then get's routed on your internal network and routed back to the PIX, which then sends it back to your client. The subnet mask never really comes into it.

The only time this causes problems is if your trying to get to a remote 10.x.x.x address, but your VPN client is sitting on a LAN that happens to be on a 10.x.x.x network also. The Microsoft OS sees this as being local (correctly), and rather than send the packet over the tunnel to the remote 10.x.x.x address, it sends it straight out the local adapter unencrypted where it usually gets lost.

If this is your case, simply change the IP pool on the PIX to be say, a 172.16.x.x address. As long as the PIX is your remote network's default gateway, those packets will be routed back to it and the PIX will do the rest. The IP pool can be anything, as long as that pool is eventually routed back to the PIX on your inside network then it'll all work.