Remote Access VPN user cannot access LAN (Cisco VPN client connecting to Pix 501)
Posted on 2006-04-05
I'm trying to allow remote access VPN access to our LAN, using a Pix501 and Cisco VPN Client 4.8.
The LAN has 172.16.27.0/24 and the router is on 172.16.27.254.
I'm struggling with specifying an appropriate pool for local addresses to be used by remote VPN clients. I tried 172.16.27.129-134 but somehow remote clients are then unable to connect to anything on the LAN. The log tells me that the connection is being accepted, but the traffic back to the remote client does not seem to get there, even though 172.16.27.0/24 -> 172.16.27.128/29 is exempt from NAT.
I was wondering that because this exemption is for within the subnet, it may not work, and I also read somewhere that you should not allocate IP addresses to remote clients that are also on your LAN, i.e. that you have to use a different subnet.
That's why I created a second remote access VPN, this time allocating 172.17.1.0/28 to remote clients, but that doesn't work either. A remote client cannot see anything on the 172.16.27.x network.
I've tried enabling and disabling split tunnelling, I've tried enabling and disabling Allow Local LAN Access in the VPN client, but I'm stuck.
How does the Pix know to route 172.17.1.x traffic to 172.16.27.x ? Do I need to add a route somewhere?