VPN and Local pool using PIX

Posted on 2004-08-26
Last Modified: 2012-05-05
Hello everybody,
I am trying to set up remote access VPN connections for my workers using PPTP W2K/XP from home. I have a PIX 515 firewall configured with an outside interface with a public ip: X.X.230.64 and inside interace ip: I understand that after a succesfull local authentication, PIX will assign an address from the IP range configured of the local pool. And this is where I still got confused: I see in many PIX configurations that the assigned network IPs in Local pool is different from the internal one. Lets say if my internal network uses private IPs in range of:, why do in most local pool configuration  I see  IPs range of different network, such as: ip local pool pptp-pool ??? If the goal of  a VPN connction is creating a local network for internet users, why do I need to assign them an IP wich is out of range fron my internal IPs ??. If I have no internal router (besides the PIX, of course), How can an internal domain be accessed ? Hope I`ve been clear enought....
I understand that this is could be simple quation for a VPN expert, but it is foudamental for those who are "VPN fresh meet".
Thank you for your help....      
Question by:ggmisadmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 36

Expert Comment

ID: 11910970
Hi ggmisadmin,
The issue is that if the VPN assigns an IP address on the internal network then the PIX has to also listen on all these separate IP addresses on the internal network. Some VPN servers may be designed to work this way but the PIX is not. The PIX needs to be configured with a IP pool on a different network so that effectivly it becomes a router between the internal network and the VPN users. The benefit of this is that because it is routing traffic between the two networks you can apply access-lists to control what the VPN users are permitted to access. These access lists can be applied on an individual user basis.

Author Comment

ID: 11912328
so...PIX routing is done on the internal interface which has an internal ip that true? To control VPN users, where would you apply the access-list? On the internal interface?
LVL 36

Expert Comment

ID: 11912421
You can apply an access list on the internal interface but this only controls machines on th internal network establishing connections to the VPN users. In order to control what individual users are permitted to access you need a RADIUS server to issue the ACL's. See my website for instructions.
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.


Author Comment

ID: 11914978
I like your web, grblades!!
Just last doubt: Once the VPN connection is exstablished, how does windows 2k server allow you to access his network resources if your IP addess, assigned by the local pool, belongs to a different network range???
Thanks for everything!!    
LVL 36

Accepted Solution

grblades earned 200 total points
ID: 11918075
The windows server would have the IP address of the PIX as its default gateway any as that is the route to the Internet.
If a machine you are connecting is a member of the AD domain then it will authenticate fine as long as you have defined that the VPN client should use the internal DNS server which is normally the case. If the client is not part of the domain then it is usefull to configure a WINS server on the server and set the PIX up to issue that to the client aswell. This helps in resolving windows machine names.

Author Comment

ID: 11918113
I am able to create a VPN. When I type ipconfig I see I have an ip address given by the local pool ( and my internal server has an ip: I can ping it but I can not access it. Do I miss any w2k configuration? How can I access network resources if I have an assigned IP with a different range from the internal network, considering that there is no internal routers?
thank you!!
LVL 36

Expert Comment

ID: 11918159
Have sure the internal servers have the IP address of the PIX defined as the default gateway and then it should work.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco router recommendation for a 1 gig internet connection 11 77
How VPC help preventing STP Loops 4 151
Where is running-config located at in ASR9K? 3 28
Router speed limit 7 64
New Server  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question