07-29-2005 07:59 AM
Hi,
I've got a problem wrt. remote-access clients coming in via a VPN3000 concentrator and trying to access local Servers.
For the topology:
The internal network is 10.0.1.0/24. It connects to the outside world as well as to the DMZs via a PIX; the PIX has 10.0.1.1 in the internal network.
On the same (internal) LAN I've got the VPN-concentrator with the inside-address 10.0.1.5. It assigns addresses in the range 10.0.100.0/24 to the
VPN client-PCs.
I can sucessfully connect using the VPN client-SW to the concentrator, i.e. the remote-access-clients get addresses out
of the 10.0.100.0/24 range.
The problem: Access from the VPN-clients to the internal network is *not* possible; for example a client with 10.0.100.1 can't connect to
internal server 10.0.1.28.
To my understanding this is a routing problem since the Server (10.0.1.28) has no idea on how to reach the clients in
10.0.100.0/24. The only thing the server has is a static default route pointing to the PIX, i.e. 10.0.1.1.
So I set up a static route on the PIX for 10.0.100.0 pointing towards the VPN-Concentrator, i.e.
route mylan 10.0.100.0 255.255.255.0 10.0.1.5 1
This didn't solve my problem however.
In the PIX logs I see entries like the following:
%PIX-3-106011: Deny inbound (No xlate) tcp src intern:10.0.1.28 (atlas) /445 dst intern:10.0.100.1 (unresolved) /1064
So the PIX seems to drop the return-packets, i.e. the traffic from the server back to the client
To my understanding the problem seems to be:
Traffic runs VPN-client -> VPN-Concentrator -> Server -> PIX - where it gets dropped.
My reasoning behind: The PIX only sees the return-packet, i.e. the packet going back from the server towards the client - and hence drops the
packet because it hasn't seen the packet coming from the client to the server.
So here are my questions:
o) How do I set up the PIX so that I get connectivity between my remote VPN-clients (10.0.100.0/24) and
the servers/machines on the local LAN (10.0.1.0/24)?
o) Has anybody else got something like this going?
PS: Please note that the obvious first idea, installing static routes on every machine on the local LAN is not an option here.
Thanks alot in advance for your help,
-ewald
Solved! Go to Solution.
08-03-2005 04:05 AM
Hello, Since the PIX can not route traffic on the same interface (prior to version 7.0 anyway) I suggest you either place your concentrator on the outside with the inside leg on a DMZ or (if you can not do a network redesign) you delete your pool with 10.0.100.0-addresses and create a pool with 10.0.1.0-adresses that is a part of the inside address-space. NOT all of it. Reserve a bit that is not used inside.
Best Regards
Robert Maras
08-03-2005 04:05 AM
Hello, Since the PIX can not route traffic on the same interface (prior to version 7.0 anyway) I suggest you either place your concentrator on the outside with the inside leg on a DMZ or (if you can not do a network redesign) you delete your pool with 10.0.100.0-addresses and create a pool with 10.0.1.0-adresses that is a part of the inside address-space. NOT all of it. Reserve a bit that is not used inside.
Best Regards
Robert Maras
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide