Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VPN and Local pool using PIX

Posted on 2004-08-26
7
Medium Priority
?
295 Views
Last Modified: 2012-05-05
Hello everybody,
I am trying to set up remote access VPN connections for my workers using PPTP W2K/XP from home. I have a PIX 515 firewall configured with an outside interface with a public ip: X.X.230.64 and inside interace ip: 192.168.150.4. I understand that after a succesfull local authentication, PIX will assign an address from the IP range configured of the local pool. And this is where I still got confused: I see in many PIX configurations that the assigned network IPs in Local pool is different from the internal one. Lets say if my internal network uses private IPs in range of: 192.168.150.0/24, why do in most local pool configuration  I see  IPs range of different network, such as: ip local pool pptp-pool 192.169.150.1-192.169.150.50 ??? If the goal of  a VPN connction is creating a local network for internet users, why do I need to assign them an IP wich is out of range fron my internal IPs ??. If I have no internal router (besides the PIX, of course), How can an internal domain be accessed ? Hope I`ve been clear enought....
I understand that this is could be simple quation for a VPN expert, but it is foudamental for those who are "VPN fresh meet".
Thank you for your help....      
0
Comment
Question by:ggmisadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11910970
Hi ggmisadmin,
The issue is that if the VPN assigns an IP address on the internal network then the PIX has to also listen on all these separate IP addresses on the internal network. Some VPN servers may be designed to work this way but the PIX is not. The PIX needs to be configured with a IP pool on a different network so that effectivly it becomes a router between the internal network and the VPN users. The benefit of this is that because it is routing traffic between the two networks you can apply access-lists to control what the VPN users are permitted to access. These access lists can be applied on an individual user basis.
0
 

Author Comment

by:ggmisadmin
ID: 11912328
so...PIX routing is done on the internal interface which has an internal ip address....is that true? To control VPN users, where would you apply the access-list? On the internal interface?
Thanks.  
0
 
LVL 36

Expert Comment

by:grblades
ID: 11912421
You can apply an access list on the internal interface but this only controls machines on th internal network establishing connections to the VPN users. In order to control what individual users are permitted to access you need a RADIUS server to issue the ACL's. See my website for instructions.
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ggmisadmin
ID: 11914978
I like your web, grblades!!
Just last doubt: Once the VPN connection is exstablished, how does windows 2k server allow you to access his network resources if your IP addess, assigned by the local pool, belongs to a different network range???
Thanks for everything!!    
0
 
LVL 36

Accepted Solution

by:
grblades earned 800 total points
ID: 11918075
The windows server would have the IP address of the PIX as its default gateway any as that is the route to the Internet.
If a machine you are connecting is a member of the AD domain then it will authenticate fine as long as you have defined that the VPN client should use the internal DNS server which is normally the case. If the client is not part of the domain then it is usefull to configure a WINS server on the server and set the PIX up to issue that to the client aswell. This helps in resolving windows machine names.
0
 

Author Comment

by:ggmisadmin
ID: 11918113
I am able to create a VPN. When I type ipconfig I see I have an ip address given by the local pool (192.168.151.40) and my internal server has an ip: 192.168.150.6. I can ping it but I can not access it. Do I miss any w2k configuration? How can I access network resources if I have an assigned IP with a different range from the internal network, considering that there is no internal routers?
thank you!!
0
 
LVL 36

Expert Comment

by:grblades
ID: 11918159
Have sure the internal servers have the IP address of the PIX defined as the default gateway and then it should work.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question