Problems with PIX VPN

Posted on 2004-10-17
Last Modified: 2013-11-16
Im having some difficulties when trying to connect VPN remote users to a PIX 501.

I use cisco VPN client to connect to the 501. Everything works fine, the clients connect and can work perfectly, no problem so far. Now i need to solve a problem i find when connecting to specific servers, i explain:

Lets say i have an internal LAN with ( for the PIX). I have a pool selected in the PIX for the VPN clients which is When clients connect, they communicate with any server in the internal LAN, as long as the server has its default gateway pointing to the PIX ( The problem is i have several servers that need to use another default gateway (WAN), and with these, the VPN clients cannot communicate, because the servers' replies dont go back through the PIX.

Then i thought: if i choose a pool like for example for the VPN clients it should work. Well, it doesn't. Am i missing something? Shouldn't it work with the second pool?. Actually, i know it can work because it used to work before the PIX with an ISA server instead of it.

I know that placing static routes to the first pool in every server would solve the problem, im trying to avoid this solution, because as i said, it worked with ISA server, so i almost sure it has to work with the PIX, right?

Question by:llandajuela
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 79

Accepted Solution

lrmoore earned 250 total points
ID: 12333015
In case you haven't noticed yet, the PIX is nothing like the ISA server and does not work the same way.
You have two issues to deal with. First is that you are using 192.168.1.x . This is absolutely the single most common subnet used by home / soho users with broadband connection. Next  most common is 192.168.0.x, next is The obvious solution to this is to use a different subnet on your company network. Something outside the common ranges, but still private, like 192.168.225.x or 172.32.x.x
Next issue is the way the PIX handles the connectivity between local lan and VPN connections. To function properly, these two need to be in separate subnets, mainly because of the nat-0 acl that you have to use. There is a workaround, however. If you divide your local LAN into maskable areas, but not true subnets, you can still cheat the PIX. For example, if you can split your network in two by assigning only addresses >.128 to your LAN, and addresses < .128 to the VPN pool, then you can use a mask in the acl, without actually changing the mask on the LAN subnet..
   ip address inside
   ip local pool VPNPOOL
   access-list Nat_zero permit ip
   nat (inside) 0 access-list Nat_zero

Now, the VPN clients get assigned an IP address that "appears" to be local to the servers that do not have their gateway pointing to the PIX.

One other easy workaround is to get on the router/firewall that those servers normally point to as their default and put in a static route there pointing the /24 subnet to the PIX Unfortunately, if it is a firewall like another PIX, this simply won't work because the PIX won't do a redirect.

Author Comment

ID: 12333554
Thanks lrmoore for the rapid answer.

Yes, of course i have noticed the difference, in fact, thats why i changed from ISA to the PIX. I just wrote about the ISA because it worked fine, using a VPN pool in the same subnet as the inside LAN, and i still dont understand how.
Ip addreses mentioned in my post are not the real ones, i thought it was easier than writing things like X.Y.Z.W.

Im afraid im not able to divide the inside LAN as you mentioned, Ip addreses are already asigned to the servers and the VPN pools, and the VPN pools are in the middle of the LAN range.

I liked the final idea of placing the static routes in the WAN router, it is a router and i think i will be able to do it.

But, just in case, i would like to know if there is another solution you can think of.
LVL 79

Expert Comment

ID: 12333630
You can try this - no guarantees that it will work...

 ip local pool VPNPOOL
   access-list Nat_zero permit ip any
   nat (inside) 0 access-list Nat_zero

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question