05-30-2002 05:01 AM - edited 02-21-2020 11:46 AM
I have created a tunnel between a VPN client and PIX with no problem but there is another network segment behind the PIX which connected with a router 2600, how can i have the client access to this segment.
i try the following command,
-route inside 192.168.1.0 255.255.255.0 172.16.4.19
-access-list nonat permit ip 172.16.4.0 255.255.255.0 192.168.1.0 255.255.255.0
-nat (inside) 0 access-list nonat
just want to make sure, PIX should be able to handle this simple routing function or not.
any suggestion would be appreciate
05-30-2002 05:59 AM
What is the IP address of the second segment which is connected to the router 2600 ? You will need nonat ACL to include that network segment explicitly as well. Otherwise it won't work
05-30-2002 06:09 AM
thanks for your reply, that's what i did 192.168.1.0 is the network segment which behind the router. and vpn client is actually using 172.16.4.0 address, same is the PIX internal.
so i have the following set up
access-list nonat permit ip 172.16.4.0/24 172.16.4.0/24
access-list nonat permit ip 172.16.4.0/24 192.168.1.0/24
nat (inside) 0 access-list nonat
route inside 192.168.1.0/24 172.16.4.19
172.16.4.19 is one of the port for 2600.
any idea why this doesn't work?
05-30-2002 06:55 AM
ok, pls. provide info. whether split tunnel is enabled and if so what the ACL is.
Then we will need to look at:
1. show crypto ipsec sa
output on the PIX
2. After VPN client connects double click the client icon and in the tab, look at the networks which have a yellow icon (which should be the networks with which vpn client should exchange encrypted communications).
once you are sure from above 2 that the SAs are not the problem, then it's likely a routing issue. See if from one of the 192.168.1.x network if you can
ping hop by hop upto the PIX. PIX should proxy arp for all the IP pool definitions that you have. Let us know how it goes.
05-30-2002 07:19 AM
Hey Vijkrish
thanks, I got it, i believe the PIX is treating the second segment as outside of the tunnel, after i add the access-list which co-respond with the split tunnel, it's start working.! thank you so much!!!
since you are here, may i ask you one more question, what if the vpn client is behind a firewall/NAT, what is the requirement to create a tunnel with PIX which located at outside, i know a lot of people has ask this before, beside static mapping on the firewall, are there any other options that i could get around this issue?
thank you so much, i really appreciate it.
05-30-2002 08:23 AM
Glad it helped. Currently there is no support for IPSec over TCP/UDP on the PIX. If the device behind which the client is IOS, in some IOS releases IOS got support for IPSec to be handled.
IP Security Through Network Address Translation Support
See URL
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/800/rn800xi.htm#xtocid17
For other devices currently there are no options unless you create a static as you say..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide