Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
1
Replies

VPN-Concentrator+PIX on local LAN -> clients can't reach local servers

Go to solution
ewald.jenisch
Level 1
Level 1

‎07-29-2005 07:59 AM

Hi,

I've got a problem wrt. remote-access clients coming in via a VPN3000 concentrator and trying to access local Servers.

For the topology:

The internal network is 10.0.1.0/24. It connects to the outside world as well as to the DMZs via a PIX; the PIX has 10.0.1.1 in the internal network.

On the same (internal) LAN I've got the VPN-concentrator with the inside-address 10.0.1.5. It assigns addresses in the range 10.0.100.0/24 to the

VPN client-PCs.

I can sucessfully connect using the VPN client-SW to the concentrator, i.e. the remote-access-clients get addresses out

of the 10.0.100.0/24 range.

The problem: Access from the VPN-clients to the internal network is *not* possible; for example a client with 10.0.100.1 can't connect to

internal server 10.0.1.28.

To my understanding this is a routing problem since the Server (10.0.1.28) has no idea on how to reach the clients in

10.0.100.0/24. The only thing the server has is a static default route pointing to the PIX, i.e. 10.0.1.1.

So I set up a static route on the PIX for 10.0.100.0 pointing towards the VPN-Concentrator, i.e.

route mylan 10.0.100.0 255.255.255.0 10.0.1.5 1

This didn't solve my problem however.

In the PIX logs I see entries like the following:

%PIX-3-106011: Deny inbound (No xlate) tcp src intern:10.0.1.28 (atlas) /445 dst intern:10.0.100.1 (unresolved) /1064

So the PIX seems to drop the return-packets, i.e. the traffic from the server back to the client

To my understanding the problem seems to be:

Traffic runs VPN-client -> VPN-Concentrator -> Server -> PIX - where it gets dropped.

My reasoning behind: The PIX only sees the return-packet, i.e. the packet going back from the server towards the client - and hence drops the

packet because it hasn't seen the packet coming from the client to the server.

So here are my questions:

o) How do I set up the PIX so that I get connectivity between my remote VPN-clients (10.0.100.0/24) and

the servers/machines on the local LAN (10.0.1.0/24)?

o) Has anybody else got something like this going?

PS: Please note that the obvious first idea, installing static routes on every machine on the local LAN is not an option here.

Thanks alot in advance for your help,

-ewald

Labels:
Preview file
26 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
maraz
Level 1
Level 1

‎08-03-2005 04:05 AM

Hello, Since the PIX can not route traffic on the same interface (prior to version 7.0 anyway) I suggest you either place your concentrator on the outside with the inside leg on a DMZ or (if you can not do a network redesign) you delete your pool with 10.0.100.0-addresses and create a pool with 10.0.1.0-adresses that is a part of the inside address-space. NOT all of it. Reserve a bit that is not used inside.

Best Regards

Robert Maras

View solution in original post

0 Helpful
1 Reply 1

Go to solution
maraz
Level 1
Level 1

‎08-03-2005 04:05 AM

Hello, Since the PIX can not route traffic on the same interface (prior to version 7.0 anyway) I suggest you either place your concentrator on the outside with the inside leg on a DMZ or (if you can not do a network redesign) you delete your pool with 10.0.100.0-addresses and create a pool with 10.0.1.0-adresses that is a part of the inside address-space. NOT all of it. Reserve a bit that is not used inside.

Best Regards

Robert Maras

0 Helpful
Customers Also Viewed These Support Documents