Solved

VPN and Local pool using PIX

Posted on 2004-08-26
7
290 Views
Last Modified: 2012-05-05
Hello everybody,
I am trying to set up remote access VPN connections for my workers using PPTP W2K/XP from home. I have a PIX 515 firewall configured with an outside interface with a public ip: X.X.230.64 and inside interace ip: 192.168.150.4. I understand that after a succesfull local authentication, PIX will assign an address from the IP range configured of the local pool. And this is where I still got confused: I see in many PIX configurations that the assigned network IPs in Local pool is different from the internal one. Lets say if my internal network uses private IPs in range of: 192.168.150.0/24, why do in most local pool configuration  I see  IPs range of different network, such as: ip local pool pptp-pool 192.169.150.1-192.169.150.50 ??? If the goal of  a VPN connction is creating a local network for internet users, why do I need to assign them an IP wich is out of range fron my internal IPs ??. If I have no internal router (besides the PIX, of course), How can an internal domain be accessed ? Hope I`ve been clear enought....
I understand that this is could be simple quation for a VPN expert, but it is foudamental for those who are "VPN fresh meet".
Thank you for your help....      
0
Comment
Question by:ggmisadmin
  • 4
  • 3
7 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11910970
Hi ggmisadmin,
The issue is that if the VPN assigns an IP address on the internal network then the PIX has to also listen on all these separate IP addresses on the internal network. Some VPN servers may be designed to work this way but the PIX is not. The PIX needs to be configured with a IP pool on a different network so that effectivly it becomes a router between the internal network and the VPN users. The benefit of this is that because it is routing traffic between the two networks you can apply access-lists to control what the VPN users are permitted to access. These access lists can be applied on an individual user basis.
0
 

Author Comment

by:ggmisadmin
ID: 11912328
so...PIX routing is done on the internal interface which has an internal ip address....is that true? To control VPN users, where would you apply the access-list? On the internal interface?
Thanks.  
0
 
LVL 36

Expert Comment

by:grblades
ID: 11912421
You can apply an access list on the internal interface but this only controls machines on th internal network establishing connections to the VPN users. In order to control what individual users are permitted to access you need a RADIUS server to issue the ACL's. See my website for instructions.
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:ggmisadmin
ID: 11914978
I like your web, grblades!!
Just last doubt: Once the VPN connection is exstablished, how does windows 2k server allow you to access his network resources if your IP addess, assigned by the local pool, belongs to a different network range???
Thanks for everything!!    
0
 
LVL 36

Accepted Solution

by:
grblades earned 200 total points
ID: 11918075
The windows server would have the IP address of the PIX as its default gateway any as that is the route to the Internet.
If a machine you are connecting is a member of the AD domain then it will authenticate fine as long as you have defined that the VPN client should use the internal DNS server which is normally the case. If the client is not part of the domain then it is usefull to configure a WINS server on the server and set the PIX up to issue that to the client aswell. This helps in resolving windows machine names.
0
 

Author Comment

by:ggmisadmin
ID: 11918113
I am able to create a VPN. When I type ipconfig I see I have an ip address given by the local pool (192.168.151.40) and my internal server has an ip: 192.168.150.6. I can ping it but I can not access it. Do I miss any w2k configuration? How can I access network resources if I have an assigned IP with a different range from the internal network, considering that there is no internal routers?
thank you!!
0
 
LVL 36

Expert Comment

by:grblades
ID: 11918159
Have sure the internal servers have the IP address of the PIX defined as the default gateway and then it should work.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question