PIX InterVlan Routing

The Setup:
VPNClient 4.6 --- Internet --- (outside) PIX 515 (3 inside subinterfaces VLAN 2, 3, 9) --- CAT 4506

INSIDE subinterfaces on PIX
VLAN 2 (192.168.2.0/24)
VLAN 3 (192.168.3.0/24)
VLAN 9 (192.168.9.0/24 - DMZ)

VPN Client receives a 192.168.2.X (VLAN 2) address from VPN IP-Pool.

The Question:
What is the best way to allow a VPNClient access to the 192.168.3.X network (VLAN3)?

Thanks,
Brian
brischaefferAsked:
Who is Participating?
 
lrmooreCommented:
Looks ok. What's not working now?
What is the default gateway for systems on vlan3 that you need access to from the client ?
0
 
MarkDozierCommented:
The best way would be a static route if the client is in one place with the same IP all the time.
0
 
lrmooreCommented:
Add the VLAN3 subnet to the "nonat" access-list and the split-tunnel acl if you use one.
I would suggest creating a new IP subnet just for VPN clients, then create two access-lists:

ip local pool VPNCLIENTS 192.168.10.1-192.168.10.100
access-list nonatvlan2 permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list nonatvlan3 permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list nonatvlan9 permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.128

access-list splittunnel permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list splittunnel permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list splittunnel permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.128

nat (vlan2) 0 access-list nonatvlan2
nat (vlan3) 0 access-list nonatvlan3
nat (vlan9) 0 access-list nonatvlan9

vpngroup YOURGROUP split-tunnel splittunnel

As long as whatever is the default gateway for each of these subnets, if it is the 4500, either points to the PIX as its DG, or has a static route for the vpnclient subnet, you're good to go..
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
rsivanandanCommented:
Follow lrmoore's comments, just *DONT* put the VPN Clients in the same network as internal => Communication problems can get horrible.

Cheers,
Rajesh
0
 
brischaefferAuthor Commented:
Ok, I am running PIX version 7.0(1), and below is a partial config of what I have now.  
The remote VPNClient will be assigned a 192.168.10.X address, and they need to be able to reach all subnets (vlans 2, 3, & 9).
Please confirm.

interface Ethernet1
 speed 100
 duplex full
 no nameif
 no security-level
 no ip address
!
interface Ethernet1.2
 vlan 2
 nameif INSIDE
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1.3
 vlan 3
 nameif VLAN3
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Ethernet1.9
 vlan 9
 nameif DMZ
 security-level 50
 ip address 192.168.9.1 255.255.255.0
!
same-security-traffic permit intra-interface
access-list INSIDE_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list VLAN3_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list DMZ_nat0_outbound extended permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.128

access-list netgroup_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list netgroup_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list netgroup_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.10.0 255.255.255.128

global (outside) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 0.0.0.0 0.0.0.0
nat (VLAN3) 0 access-list VLAN3_nat0_outbound
nat (DMZ) 0 access-list DMZ_nat0_outbound
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

ip local pool vpnpool 192.168.10.1-192.168.10.100 mask 255.255.255.255

0
 
brischaefferAuthor Commented:
Works like a champ.
Strange things were going on yesterday.
Initiated a factory default reset on PIX, reconfigured with same config and now the PIX and I are having a good day.
Thanks for clearing the cobwebs!
-Brian
0
 
lrmooreCommented:
Glad you're working!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.