Problems with PIX VPN

Posted on 2004-10-17
Last Modified: 2013-11-16
Im having some difficulties when trying to connect VPN remote users to a PIX 501.

I use cisco VPN client to connect to the 501. Everything works fine, the clients connect and can work perfectly, no problem so far. Now i need to solve a problem i find when connecting to specific servers, i explain:

Lets say i have an internal LAN with ( for the PIX). I have a pool selected in the PIX for the VPN clients which is When clients connect, they communicate with any server in the internal LAN, as long as the server has its default gateway pointing to the PIX ( The problem is i have several servers that need to use another default gateway (WAN), and with these, the VPN clients cannot communicate, because the servers' replies dont go back through the PIX.

Then i thought: if i choose a pool like for example for the VPN clients it should work. Well, it doesn't. Am i missing something? Shouldn't it work with the second pool?. Actually, i know it can work because it used to work before the PIX with an ISA server instead of it.

I know that placing static routes to the first pool in every server would solve the problem, im trying to avoid this solution, because as i said, it worked with ISA server, so i almost sure it has to work with the PIX, right?

Question by:llandajuela
  • 2
LVL 79

Accepted Solution

lrmoore earned 250 total points
ID: 12333015
In case you haven't noticed yet, the PIX is nothing like the ISA server and does not work the same way.
You have two issues to deal with. First is that you are using 192.168.1.x . This is absolutely the single most common subnet used by home / soho users with broadband connection. Next  most common is 192.168.0.x, next is The obvious solution to this is to use a different subnet on your company network. Something outside the common ranges, but still private, like 192.168.225.x or 172.32.x.x
Next issue is the way the PIX handles the connectivity between local lan and VPN connections. To function properly, these two need to be in separate subnets, mainly because of the nat-0 acl that you have to use. There is a workaround, however. If you divide your local LAN into maskable areas, but not true subnets, you can still cheat the PIX. For example, if you can split your network in two by assigning only addresses >.128 to your LAN, and addresses < .128 to the VPN pool, then you can use a mask in the acl, without actually changing the mask on the LAN subnet..
   ip address inside
   ip local pool VPNPOOL
   access-list Nat_zero permit ip
   nat (inside) 0 access-list Nat_zero

Now, the VPN clients get assigned an IP address that "appears" to be local to the servers that do not have their gateway pointing to the PIX.

One other easy workaround is to get on the router/firewall that those servers normally point to as their default and put in a static route there pointing the /24 subnet to the PIX Unfortunately, if it is a firewall like another PIX, this simply won't work because the PIX won't do a redirect.

Author Comment

ID: 12333554
Thanks lrmoore for the rapid answer.

Yes, of course i have noticed the difference, in fact, thats why i changed from ISA to the PIX. I just wrote about the ISA because it worked fine, using a VPN pool in the same subnet as the inside LAN, and i still dont understand how.
Ip addreses mentioned in my post are not the real ones, i thought it was easier than writing things like X.Y.Z.W.

Im afraid im not able to divide the inside LAN as you mentioned, Ip addreses are already asigned to the servers and the VPN pools, and the VPN pools are in the middle of the LAN range.

I liked the final idea of placing the static routes in the WAN router, it is a router and i think i will be able to do it.

But, just in case, i would like to know if there is another solution you can think of.
LVL 79

Expert Comment

ID: 12333630
You can try this - no guarantees that it will work...

 ip local pool VPNPOOL
   access-list Nat_zero permit ip any
   nat (inside) 0 access-list Nat_zero

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question