Re: VPN subnet mask problem

asotopetris · ‎03-11-2005

I have problems connecting from one ISP becouse they assign IP addresses 10.28.xxx.16/18

But the problem is that my VPN (PIX 525) assign an IP address 10.0.xx.2/8. I suppose the VPN should assign IP addresses 10.0.xx.2/32

I have subnets on the inside interface (ip address 172.21.xxx.248/16) as this 10.180.xxx.0/24

I can connect from the same ISP to my VPN when they assign an IP addresses 172.16.xxx.5/24 and I don´t have problem to reach all subnets inside.

I think this is a problem with the subnet mask that my VPN should assign to my client but I have no found the way to solve this problem.

I thank your help

smalkeric · ‎03-17-2005

VPN client takes classfull IP address from the pool defined on the VPN headend device.

PJWHITBY · ‎03-18-2005

Can this be changed? I hope so!

I want to add a 24 bit subnet mask to a 10.x.x.x address but can't.

I am running PIX OS 6.3.3 with PDM 3.0.1.

The PDM accepts the sunet mask as an option, but fails when it trys to send the command to the PIX.

This could cause us some big issues if I cannot use a 24 bit mask. We are currently changing from a 192.168.x.x / 24 (class C) style of addressing to a 10.x.x.x /24 (class A) style of addressing.

Philip D'Ath · ‎03-18-2005

It can't be changed.

Trying using 192.168.x/24 for your VPN subnet to solve the problem.

PJWHITBY · ‎03-18-2005

I want to use a 10.x.x.x / 24 address.

Not only do I want to, I have to. Our 'big daddy' US owner says we must ;-)

If there is no way around this, then I will have to plan something else.

DOH!

asotopetris · ‎03-18-2005

That's strange, I have seem others VPN hardware/software that assign a 32 bits subnetmask for each connection. I don't want to set a site-to-site connection up. These are multiple peer to peer connections. I though all peer to peer connections were 32 bits. Will this feature (classfull IP address) work fine with routing?

dan.shalinsky · ‎03-18-2005

I have no experience with PDM, only command line on PIXs. But, generally speaking, the address subnet and the mask applied are completely unrelated. That is, you can use any IP block with a /24 mask, especially across your own private VPN.

I know this doesn't solve the actual problem, but it should be accepted. Perhaps this change could be done by command line rather than PDM.

The concept of 10.0.0.0 belonging only to class A and 192.168.0.0 belonging only to class C went by the wayside with CIDR.

Regards,

~Dan

PJWHITBY · ‎03-19-2005

On page 6-22 of the PIX Firewall Command Reference it details the command

ip local pool

it specifies that I should be able to enter the following command

ip local pool [] [mask ]

where the and mask fields are optional.

If I try and type the following into my PIX via the CLI it does not accept it

ip local pool vpngroup 10.1.1.10 10.1.1.50 mask 255.255.255.0

I agree with the idea that 10.x.x.x is class A etc has long since gone, but that doesn't explain why my PIX 515 (on PIX OS v6.3.3) does not accept my commands, which in a way is a shame .

Thanks to everybody for trying to get this sorted.

dan.shalinsky · ‎03-19-2005

Strange. I just tried your exact command on my PIX525 (6.3.4) and it worked fine. Some of the documentation refers to using the "netmask" switch, which is wrong - it should be "mask".

Also, according to the command reference, if you do not specify a mask, the PIX by default uses 255.255.255.0.

Hope this helps.

~Dan

PJWHITBY · ‎03-20-2005

It did help, sort of.

The answer is to upgrade to the v6.3.4 OS

You cannot enter the option of the ip local pool command in v6.3.3.

I upgraded to v6.3.4 and the command went straight in. I have tested the change and all the VPN clients connecting get a 24 bit subnet mask.

There we have it, an answer.