cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
412
Views
0
Helpful
5
Replies

VPN Client 3.5.X to PIX 506/access to different network behind router

tkpsimon
Level 1
Level 1

I have created a tunnel between a VPN client and PIX with no problem but there is another network segment behind the PIX which connected with a router 2600, how can i have the client access to this segment.

i try the following command,

-route inside 192.168.1.0 255.255.255.0 172.16.4.19

-access-list nonat permit ip 172.16.4.0 255.255.255.0 192.168.1.0 255.255.255.0

-nat (inside) 0 access-list nonat

just want to make sure, PIX should be able to handle this simple routing function or not.

any suggestion would be appreciate

5 Replies 5

vijkrish
Cisco Employee
Cisco Employee

What is the IP address of the second segment which is connected to the router 2600 ? You will need nonat ACL to include that network segment explicitly as well. Otherwise it won't work

thanks for your reply, that's what i did 192.168.1.0 is the network segment which behind the router. and vpn client is actually using 172.16.4.0 address, same is the PIX internal.

so i have the following set up

access-list nonat permit ip 172.16.4.0/24 172.16.4.0/24

access-list nonat permit ip 172.16.4.0/24 192.168.1.0/24

nat (inside) 0 access-list nonat

route inside 192.168.1.0/24 172.16.4.19

172.16.4.19 is one of the port for 2600.

any idea why this doesn't work?

ok, pls. provide info. whether split tunnel is enabled and if so what the ACL is.

Then we will need to look at:

1. show crypto ipsec sa

output on the PIX

2. After VPN client connects double click the client icon and in the tab, look at the networks which have a yellow icon (which should be the networks with which vpn client should exchange encrypted communications).

once you are sure from above 2 that the SAs are not the problem, then it's likely a routing issue. See if from one of the 192.168.1.x network if you can

ping hop by hop upto the PIX. PIX should proxy arp for all the IP pool definitions that you have. Let us know how it goes.

Hey Vijkrish

thanks, I got it, i believe the PIX is treating the second segment as outside of the tunnel, after i add the access-list which co-respond with the split tunnel, it's start working.! thank you so much!!!

since you are here, may i ask you one more question, what if the vpn client is behind a firewall/NAT, what is the requirement to create a tunnel with PIX which located at outside, i know a lot of people has ask this before, beside static mapping on the firewall, are there any other options that i could get around this issue?

thank you so much, i really appreciate it.

Glad it helped. Currently there is no support for IPSec over TCP/UDP on the PIX. If the device behind which the client is IOS, in some IOS releases IOS got support for IPSec to be handled.

IP Security Through Network Address Translation Support

See URL

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/800/rn800xi.htm#xtocid17

For other devices currently there are no options unless you create a static as you say..