Solved

VPN and Local pool using PIX

Posted on 2004-08-26
7
285 Views
Last Modified: 2012-05-05
Hello everybody,
I am trying to set up remote access VPN connections for my workers using PPTP W2K/XP from home. I have a PIX 515 firewall configured with an outside interface with a public ip: X.X.230.64 and inside interace ip: 192.168.150.4. I understand that after a succesfull local authentication, PIX will assign an address from the IP range configured of the local pool. And this is where I still got confused: I see in many PIX configurations that the assigned network IPs in Local pool is different from the internal one. Lets say if my internal network uses private IPs in range of: 192.168.150.0/24, why do in most local pool configuration  I see  IPs range of different network, such as: ip local pool pptp-pool 192.169.150.1-192.169.150.50 ??? If the goal of  a VPN connction is creating a local network for internet users, why do I need to assign them an IP wich is out of range fron my internal IPs ??. If I have no internal router (besides the PIX, of course), How can an internal domain be accessed ? Hope I`ve been clear enought....
I understand that this is could be simple quation for a VPN expert, but it is foudamental for those who are "VPN fresh meet".
Thank you for your help....      
0
Comment
Question by:ggmisadmin
  • 4
  • 3
7 Comments
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Hi ggmisadmin,
The issue is that if the VPN assigns an IP address on the internal network then the PIX has to also listen on all these separate IP addresses on the internal network. Some VPN servers may be designed to work this way but the PIX is not. The PIX needs to be configured with a IP pool on a different network so that effectivly it becomes a router between the internal network and the VPN users. The benefit of this is that because it is routing traffic between the two networks you can apply access-lists to control what the VPN users are permitted to access. These access lists can be applied on an individual user basis.
0
 

Author Comment

by:ggmisadmin
Comment Utility
so...PIX routing is done on the internal interface which has an internal ip address....is that true? To control VPN users, where would you apply the access-list? On the internal interface?
Thanks.  
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
You can apply an access list on the internal interface but this only controls machines on th internal network establishing connections to the VPN users. In order to control what individual users are permitted to access you need a RADIUS server to issue the ACL's. See my website for instructions.
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:ggmisadmin
Comment Utility
I like your web, grblades!!
Just last doubt: Once the VPN connection is exstablished, how does windows 2k server allow you to access his network resources if your IP addess, assigned by the local pool, belongs to a different network range???
Thanks for everything!!    
0
 
LVL 36

Accepted Solution

by:
grblades earned 200 total points
Comment Utility
The windows server would have the IP address of the PIX as its default gateway any as that is the route to the Internet.
If a machine you are connecting is a member of the AD domain then it will authenticate fine as long as you have defined that the VPN client should use the internal DNS server which is normally the case. If the client is not part of the domain then it is usefull to configure a WINS server on the server and set the PIX up to issue that to the client aswell. This helps in resolving windows machine names.
0
 

Author Comment

by:ggmisadmin
Comment Utility
I am able to create a VPN. When I type ipconfig I see I have an ip address given by the local pool (192.168.151.40) and my internal server has an ip: 192.168.150.6. I can ping it but I can not access it. Do I miss any w2k configuration? How can I access network resources if I have an assigned IP with a different range from the internal network, considering that there is no internal routers?
thank you!!
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Have sure the internal servers have the IP address of the PIX defined as the default gateway and then it should work.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now