Re: VPN Client DCHP POOLS~~???

whimpyred · ‎11-17-2004

PLEASE HELP!! THIS IS DRIVING ME NUTS>>

i have a PIX 501 FIREWALL...all is well,

working on this unit i need a total of

3 VPN Tunnels, 1 site to site and 2 remote site

tunnels...

problem 1:

Once the tunnels are created and established, the VPN DCHP gives out the the proper address, although it's on a class A (255.0.0.0) network. Mine is a flat class C (255.255.255.0) WHERE CAN THIS BE CHANGED???

problem 2:

Again the tunnels are created and establised with site to site wizards, i can access the remote network and ping, telnet, and even remote desktop to the server...the user's can't come to me! I have been though this thick and thin and can't find any problems...

ANY HELP WOULD BE GREAT!!!

thanks

christopher ashby

jay_colby · ‎11-17-2004

problem 1

There is a new feature in 6.3.4 to solve the classful pools. You can now add subnets.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn634.htm#wp137259

Problem 2

Where are the users located? Are they other vpn clients? If so, they will not be able to get to you due to the PIX does not redirect traffic on the same interface it was recived on.

whimpyred · ‎11-17-2004

the other users are located on the connecting vpn tunnel. I can connect to him, and ping...telnet...remote desktop, but he can't connect to me, what is that about do you think?

Thanks for correcting problem 1...have you updated to 6.3.4?

Patrick Iseli · ‎11-17-2004

Why you do not configure for each VPN connection another ip pool in a class C network ?

vpngroup VPNGroup1 address-pool VPNPool1

ip local pool VPNPool1 192.168.200.1-192.168.200.254

vpngroup VPNGroup2 address-pool VPNPool2

ip local pool VPNPool2 192.168.201.1-192.168.201.254

The problem is that that the subnet mask is assigned based on the Class (default A, B, or C) of the range you are using.

sincerely

Patrick

whimpyred · ‎11-17-2004

I would do that patrick although my private network is 10.21.9.x

scoclayton · ‎11-17-2004

I am guessing this is a config issue on your side. Do you have 'sysopt connection permit-ipsec' configured or are you explicitly allowing the remote side of the tunnel into your network via the ACL's on the VPN interface? Or, maybe a NAT issue. Can you post your PIX config for review?

Scott

whimpyred · ‎11-18-2004

I am upgrading my PIX 501 to the latest 6.3.4 ios version today to address the first issue, (problem 1). i will later tonight, or first thing tomorrow post my pix running configuration for you. Thanks for the help.

whimpyred · ‎11-23-2004

OK...I have sucessfully completed the uprade to 6.3.4 of my pix, which corrected my dchp pool issue. Know my problem is when a client connects to the pix with cisco VPN client software from there network, they cannot use there internal network..What am i missing?

scottosan · ‎11-24-2004

access-list (split-tunnel ACL name) permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0

vpngroup (name) split-tunnel (split-tunnel ACL name)

x = your netork that you are giving access to

y = network of VPN client IP pool

with this command, only traffic going to you network will be passed through the IPSec tunnel. All others will stay on his local network.