Re: VPN design

dkim777oig · ‎05-06-2008

I'm trying to setup VPN server into existing LAN and having some problems.

let's assume that my network is 129.1.0.0/16 and they are all public IPs

but has a firewall at 129.1.0.1/24

and two other existing subnets behind firewall that I have physical access to.

they are 129.1.1.0/24 and 129.1.2.0/24

Yes, we use public IPs behind firewall as well.

they both are connected to firewall via 129.1.1.1 and 129.1.2.1

I'm testing separate VPN server(pix525 v8.03) with following config. and this one is used for client VPN only.

outside 129.1.1.100

inside 129.1.2.200

default gateway 129.1.1.1

vpn ip pool is 129.1.2.201-240

users from home can connect and gets an ip address from the vpn pool but can't access anything other than 129.1.2.0/24

can't get to internet or any other subnet.

I have allowed everything to go through firewall, but still something is blocking.

any ideas?

I have tried to use private ip for inside like 10.0.0.0/24 with same result.

one strange thing is.

on one client machine the default gateway is same as the assigned ip.

on another client machine the default gateway is normal like 129.1.2.1

but they both show same behavior or not being able to connect outside of their own assigned subnet.

Alex Pfeil · ‎05-07-2008

for this network, the best idea is to have clients remote into a terminal server and then they can get to the internet. This is very secure although it is a hassle.

are you using a proxy server for internet connection? Try pointing the clients to the proxy.

split-tunneling? split-tunneling allows users to vpn and use the internet, but is not as secure.

Alex Pfeil · ‎05-07-2008

If you test your connection from your dmz, can you see your DNS server. try NSlookup.

As far as subnets, you need to add static routes for the users to get to different subnets.

Can you post your configuration?