11-17-2004 10:56 AM - edited 02-21-2020 01:27 PM
PLEASE HELP!! THIS IS DRIVING ME NUTS>>
i have a PIX 501 FIREWALL...all is well,
working on this unit i need a total of
3 VPN Tunnels, 1 site to site and 2 remote site
tunnels...
problem 1:
Once the tunnels are created and established, the VPN DCHP gives out the the proper address, although it's on a class A (255.0.0.0) network. Mine is a flat class C (255.255.255.0) WHERE CAN THIS BE CHANGED???
problem 2:
Again the tunnels are created and establised with site to site wizards, i can access the remote network and ping, telnet, and even remote desktop to the server...the user's can't come to me! I have been though this thick and thin and can't find any problems...
ANY HELP WOULD BE GREAT!!!
thanks
christopher ashby
11-17-2004 11:52 AM
problem 1
There is a new feature in 6.3.4 to solve the classful pools. You can now add subnets.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn634.htm#wp137259
Problem 2
Where are the users located? Are they other vpn clients? If so, they will not be able to get to you due to the PIX does not redirect traffic on the same interface it was recived on.
11-17-2004 12:07 PM
the other users are located on the connecting vpn tunnel. I can connect to him, and ping...telnet...remote desktop, but he can't connect to me, what is that about do you think?
Thanks for correcting problem 1...have you updated to 6.3.4?
11-17-2004 12:28 PM
Why you do not configure for each VPN connection another ip pool in a class C network ?
vpngroup VPNGroup1 address-pool VPNPool1
ip local pool VPNPool1 192.168.200.1-192.168.200.254
vpngroup VPNGroup2 address-pool VPNPool2
ip local pool VPNPool2 192.168.201.1-192.168.201.254
The problem is that that the subnet mask is assigned based on the Class (default A, B, or C) of the range you are using.
sincerely
Patrick
11-17-2004 12:50 PM
I would do that patrick although my private network is 10.21.9.x
11-17-2004 01:21 PM
I am guessing this is a config issue on your side. Do you have 'sysopt connection permit-ipsec' configured or are you explicitly allowing the remote side of the tunnel into your network via the ACL's on the VPN interface? Or, maybe a NAT issue. Can you post your PIX config for review?
Scott
11-18-2004 09:03 AM
I am upgrading my PIX 501 to the latest 6.3.4 ios version today to address the first issue, (problem 1). i will later tonight, or first thing tomorrow post my pix running configuration for you. Thanks for the help.
11-23-2004 07:03 AM
11-24-2004 08:28 AM
access-list (split-tunnel ACL name) permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0
vpngroup (name) split-tunnel (split-tunnel ACL name)
x = your netork that you are giving access to
y = network of VPN client IP pool
with this command, only traffic going to you network will be passed through the IPSec tunnel. All others will stay on his local network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide