Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
1
Replies

VPN Pix-to-client and how to reach systems on other interfaces

Go to solution
albertobrivio
Level 1
Level 1

‎02-17-2006 06:29 AM - edited ‎02-21-2020 02:15 PM

Dear ALL,

I've implemented a VPN Pix-to-Client and it seems to running ok.

As you can see, client will get the same inside class address (192.168.100.x) so I can reach systems from everywhere.

My questions are:

1 if I assign addresses' pool different subnet, how can I still reach inside systems ?

2 if I have other systems on these interfaces such dmz1 (192.168.10.0) dmz2 (192.168.20.0) how can I reach those systems from the

same client vpn access?

Regards

Alberto Brivio

ip local pool vpnpool1 192.168.100.70-192.168.100.80

access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list 102

sysopt connection permit-ipsec

crypto ipsec transform-set trmset1 esp-des esp-md5-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup test address-pool vpnpool1

vpngroup test split-tunnel 102

vpngroup test idle-time 1800

vpngroup test password ********

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Patrick Iseli
Level 7
Level 7

‎02-17-2006 11:22 AM

Usually it is better to use another IP Address Range. The PIX will know that the VPN Client is using that range and route it correctly whitch is not the case when you are using the same IP Range as the inside interface.

To access another interface use the NONAT (your ACL 102) access-list that disables NAT between the VPN Network and the the neworks that you want to connect.

Config Example:

access-list NONAT permit ip Internalnet ISubnetMask VPN-Pool 255.255.255.0

access-list NONAT permit ip DMZnet DMZSubnetMask VPN-Pool 255.255.255.0

nat (inside) 0 NONAT

aaa-server LOCAL protocol local

aaa authentication secure-http-client

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map REMOTE client authentication LOCAL

crypto map REMOTE interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ip local pool VPNPool x.y.z.1-x.y.z.254

vpngroup VPNGroup address-pool VPNPool

vpngroup VPNGroup dns-server dns2 dns1

vpngroup VPNGroup default-domain localdomain

vpngroup VPNGroup idle-time 1800

vpngroup VPNGroup password grouppassword

username vpnclient password vpnclient-password

sincerely

Patrick

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Patrick Iseli
Level 7
Level 7

‎02-17-2006 11:22 AM

Usually it is better to use another IP Address Range. The PIX will know that the VPN Client is using that range and route it correctly whitch is not the case when you are using the same IP Range as the inside interface.

To access another interface use the NONAT (your ACL 102) access-list that disables NAT between the VPN Network and the the neworks that you want to connect.

Config Example:

access-list NONAT permit ip Internalnet ISubnetMask VPN-Pool 255.255.255.0

access-list NONAT permit ip DMZnet DMZSubnetMask VPN-Pool 255.255.255.0

nat (inside) 0 NONAT

aaa-server LOCAL protocol local

aaa authentication secure-http-client

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map REMOTE client authentication LOCAL

crypto map REMOTE interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ip local pool VPNPool x.y.z.1-x.y.z.254

vpngroup VPNGroup address-pool VPNPool

vpngroup VPNGroup dns-server dns2 dns1

vpngroup VPNGroup default-domain localdomain

vpngroup VPNGroup idle-time 1800

vpngroup VPNGroup password grouppassword

username vpnclient password vpnclient-password

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents