• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

VPN and Local pool using PIX

Hello everybody,
I am trying to set up remote access VPN connections for my workers using PPTP W2K/XP from home. I have a PIX 515 firewall configured with an outside interface with a public ip: X.X.230.64 and inside interace ip: 192.168.150.4. I understand that after a succesfull local authentication, PIX will assign an address from the IP range configured of the local pool. And this is where I still got confused: I see in many PIX configurations that the assigned network IPs in Local pool is different from the internal one. Lets say if my internal network uses private IPs in range of: 192.168.150.0/24, why do in most local pool configuration  I see  IPs range of different network, such as: ip local pool pptp-pool 192.169.150.1-192.169.150.50 ??? If the goal of  a VPN connction is creating a local network for internet users, why do I need to assign them an IP wich is out of range fron my internal IPs ??. If I have no internal router (besides the PIX, of course), How can an internal domain be accessed ? Hope I`ve been clear enought....
I understand that this is could be simple quation for a VPN expert, but it is foudamental for those who are "VPN fresh meet".
Thank you for your help....      
0
ggmisadmin
Asked:
ggmisadmin
  • 4
  • 3
1 Solution
 
grbladesCommented:
Hi ggmisadmin,
The issue is that if the VPN assigns an IP address on the internal network then the PIX has to also listen on all these separate IP addresses on the internal network. Some VPN servers may be designed to work this way but the PIX is not. The PIX needs to be configured with a IP pool on a different network so that effectivly it becomes a router between the internal network and the VPN users. The benefit of this is that because it is routing traffic between the two networks you can apply access-lists to control what the VPN users are permitted to access. These access lists can be applied on an individual user basis.
0
 
ggmisadminAuthor Commented:
so...PIX routing is done on the internal interface which has an internal ip address....is that true? To control VPN users, where would you apply the access-list? On the internal interface?
Thanks.  
0
 
grbladesCommented:
You can apply an access list on the internal interface but this only controls machines on th internal network establishing connections to the VPN users. In order to control what individual users are permitted to access you need a RADIUS server to issue the ACL's. See my website for instructions.
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
ggmisadminAuthor Commented:
I like your web, grblades!!
Just last doubt: Once the VPN connection is exstablished, how does windows 2k server allow you to access his network resources if your IP addess, assigned by the local pool, belongs to a different network range???
Thanks for everything!!    
0
 
grbladesCommented:
The windows server would have the IP address of the PIX as its default gateway any as that is the route to the Internet.
If a machine you are connecting is a member of the AD domain then it will authenticate fine as long as you have defined that the VPN client should use the internal DNS server which is normally the case. If the client is not part of the domain then it is usefull to configure a WINS server on the server and set the PIX up to issue that to the client aswell. This helps in resolving windows machine names.
0
 
ggmisadminAuthor Commented:
I am able to create a VPN. When I type ipconfig I see I have an ip address given by the local pool (192.168.151.40) and my internal server has an ip: 192.168.150.6. I can ping it but I can not access it. Do I miss any w2k configuration? How can I access network resources if I have an assigned IP with a different range from the internal network, considering that there is no internal routers?
thank you!!
0
 
grbladesCommented:
Have sure the internal servers have the IP address of the PIX defined as the default gateway and then it should work.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now