[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Problems with PIX VPN

Posted on 2004-10-17
Medium Priority
Last Modified: 2013-11-16
Im having some difficulties when trying to connect VPN remote users to a PIX 501.

I use cisco VPN client to connect to the 501. Everything works fine, the clients connect and can work perfectly, no problem so far. Now i need to solve a problem i find when connecting to specific servers, i explain:

Lets say i have an internal LAN with ( for the PIX). I have a pool selected in the PIX for the VPN clients which is When clients connect, they communicate with any server in the internal LAN, as long as the server has its default gateway pointing to the PIX ( The problem is i have several servers that need to use another default gateway (WAN), and with these, the VPN clients cannot communicate, because the servers' replies dont go back through the PIX.

Then i thought: if i choose a pool like for example for the VPN clients it should work. Well, it doesn't. Am i missing something? Shouldn't it work with the second pool?. Actually, i know it can work because it used to work before the PIX with an ISA server instead of it.

I know that placing static routes to the first pool in every server would solve the problem, im trying to avoid this solution, because as i said, it worked with ISA server, so i almost sure it has to work with the PIX, right?

Question by:llandajuela
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 79

Accepted Solution

lrmoore earned 750 total points
ID: 12333015
In case you haven't noticed yet, the PIX is nothing like the ISA server and does not work the same way.
You have two issues to deal with. First is that you are using 192.168.1.x . This is absolutely the single most common subnet used by home / soho users with broadband connection. Next  most common is 192.168.0.x, next is The obvious solution to this is to use a different subnet on your company network. Something outside the common ranges, but still private, like 192.168.225.x or 172.32.x.x
Next issue is the way the PIX handles the connectivity between local lan and VPN connections. To function properly, these two need to be in separate subnets, mainly because of the nat-0 acl that you have to use. There is a workaround, however. If you divide your local LAN into maskable areas, but not true subnets, you can still cheat the PIX. For example, if you can split your network in two by assigning only addresses >.128 to your LAN, and addresses < .128 to the VPN pool, then you can use a mask in the acl, without actually changing the mask on the LAN subnet..
   ip address inside
   ip local pool VPNPOOL
   access-list Nat_zero permit ip
   nat (inside) 0 access-list Nat_zero

Now, the VPN clients get assigned an IP address that "appears" to be local to the servers that do not have their gateway pointing to the PIX.

One other easy workaround is to get on the router/firewall that those servers normally point to as their default and put in a static route there pointing the /24 subnet to the PIX Unfortunately, if it is a firewall like another PIX, this simply won't work because the PIX won't do a redirect.

Author Comment

ID: 12333554
Thanks lrmoore for the rapid answer.

Yes, of course i have noticed the difference, in fact, thats why i changed from ISA to the PIX. I just wrote about the ISA because it worked fine, using a VPN pool in the same subnet as the inside LAN, and i still dont understand how.
Ip addreses mentioned in my post are not the real ones, i thought it was easier than writing things like X.Y.Z.W.

Im afraid im not able to divide the inside LAN as you mentioned, Ip addreses are already asigned to the servers and the VPN pools, and the VPN pools are in the middle of the LAN range.

I liked the final idea of placing the static routes in the WAN router, it is a router and i think i will be able to do it.

But, just in case, i would like to know if there is another solution you can think of.
LVL 79

Expert Comment

ID: 12333630
You can try this - no guarantees that it will work...

 ip local pool VPNPOOL
   access-list Nat_zero permit ip any
   nat (inside) 0 access-list Nat_zero

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question