PIX InterVlan Routing

The Setup:
VPNClient 4.6 --- Internet --- (outside) PIX 515 (3 inside subinterfaces VLAN 2, 3, 9) --- CAT 4506

INSIDE subinterfaces on PIX
VLAN 2 (192.168.2.0/24)
VLAN 3 (192.168.3.0/24)
VLAN 9 (192.168.9.0/24 - DMZ)

VPN Client receives a 192.168.2.X (VLAN 2) address from VPN IP-Pool.

The Question:
What is the best way to allow a VPNClient access to the 192.168.3.X network (VLAN3)?

Thanks,
Brian
brischaefferAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MarkDozierCommented:
The best way would be a static route if the client is in one place with the same IP all the time.
lrmooreCommented:
Add the VLAN3 subnet to the "nonat" access-list and the split-tunnel acl if you use one.
I would suggest creating a new IP subnet just for VPN clients, then create two access-lists:

ip local pool VPNCLIENTS 192.168.10.1-192.168.10.100
access-list nonatvlan2 permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list nonatvlan3 permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list nonatvlan9 permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.128

access-list splittunnel permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list splittunnel permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list splittunnel permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.128

nat (vlan2) 0 access-list nonatvlan2
nat (vlan3) 0 access-list nonatvlan3
nat (vlan9) 0 access-list nonatvlan9

vpngroup YOURGROUP split-tunnel splittunnel

As long as whatever is the default gateway for each of these subnets, if it is the 4500, either points to the PIX as its DG, or has a static route for the vpnclient subnet, you're good to go..
rsivanandanCommented:
Follow lrmoore's comments, just *DONT* put the VPN Clients in the same network as internal => Communication problems can get horrible.

Cheers,
Rajesh
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

brischaefferAuthor Commented:
Ok, I am running PIX version 7.0(1), and below is a partial config of what I have now.  
The remote VPNClient will be assigned a 192.168.10.X address, and they need to be able to reach all subnets (vlans 2, 3, & 9).
Please confirm.

interface Ethernet1
 speed 100
 duplex full
 no nameif
 no security-level
 no ip address
!
interface Ethernet1.2
 vlan 2
 nameif INSIDE
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1.3
 vlan 3
 nameif VLAN3
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Ethernet1.9
 vlan 9
 nameif DMZ
 security-level 50
 ip address 192.168.9.1 255.255.255.0
!
same-security-traffic permit intra-interface
access-list INSIDE_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list VLAN3_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list DMZ_nat0_outbound extended permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.128

access-list netgroup_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list netgroup_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list netgroup_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.10.0 255.255.255.128

global (outside) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 0.0.0.0 0.0.0.0
nat (VLAN3) 0 access-list VLAN3_nat0_outbound
nat (DMZ) 0 access-list DMZ_nat0_outbound
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

ip local pool vpnpool 192.168.10.1-192.168.10.100 mask 255.255.255.255

lrmooreCommented:
Looks ok. What's not working now?
What is the default gateway for systems on vlan3 that you need access to from the client ?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
brischaefferAuthor Commented:
Works like a champ.
Strange things were going on yesterday.
Initiated a factory default reset on PIX, reconfigured with same config and now the PIX and I are having a good day.
Thanks for clearing the cobwebs!
-Brian
lrmooreCommented:
Glad you're working!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.