PIX InterVlan Routing

Posted on 2006-04-06
Last Modified: 2013-11-16
The Setup:
VPNClient 4.6 --- Internet --- (outside) PIX 515 (3 inside subinterfaces VLAN 2, 3, 9) --- CAT 4506

INSIDE subinterfaces on PIX
VLAN 2 (
VLAN 3 (
VLAN 9 ( - DMZ)

VPN Client receives a 192.168.2.X (VLAN 2) address from VPN IP-Pool.

The Question:
What is the best way to allow a VPNClient access to the 192.168.3.X network (VLAN3)?

Question by:brischaeffer
    LVL 8

    Expert Comment

    The best way would be a static route if the client is in one place with the same IP all the time.
    LVL 79

    Expert Comment

    Add the VLAN3 subnet to the "nonat" access-list and the split-tunnel acl if you use one.
    I would suggest creating a new IP subnet just for VPN clients, then create two access-lists:

    ip local pool VPNCLIENTS
    access-list nonatvlan2 permit ip
    access-list nonatvlan3 permit ip
    access-list nonatvlan9 permit ip

    access-list splittunnel permit ip
    access-list splittunnel permit ip
    access-list splittunnel permit ip

    nat (vlan2) 0 access-list nonatvlan2
    nat (vlan3) 0 access-list nonatvlan3
    nat (vlan9) 0 access-list nonatvlan9

    vpngroup YOURGROUP split-tunnel splittunnel

    As long as whatever is the default gateway for each of these subnets, if it is the 4500, either points to the PIX as its DG, or has a static route for the vpnclient subnet, you're good to go..
    LVL 32

    Expert Comment

    Follow lrmoore's comments, just *DONT* put the VPN Clients in the same network as internal => Communication problems can get horrible.


    Author Comment

    Ok, I am running PIX version 7.0(1), and below is a partial config of what I have now.  
    The remote VPNClient will be assigned a 192.168.10.X address, and they need to be able to reach all subnets (vlans 2, 3, & 9).
    Please confirm.

    interface Ethernet1
     speed 100
     duplex full
     no nameif
     no security-level
     no ip address
    interface Ethernet1.2
     vlan 2
     nameif INSIDE
     security-level 100
     ip address
    interface Ethernet1.3
     vlan 3
     nameif VLAN3
     security-level 100
     ip address
    interface Ethernet1.9
     vlan 9
     nameif DMZ
     security-level 50
     ip address
    same-security-traffic permit intra-interface
    access-list INSIDE_nat0_outbound extended permit ip
    access-list VLAN3_nat0_outbound extended permit ip
    access-list DMZ_nat0_outbound extended permit ip

    access-list netgroup_splitTunnelAcl standard permit
    access-list netgroup_splitTunnelAcl standard permit
    access-list netgroup_splitTunnelAcl standard permit

    access-list outside_cryptomap_dyn_20 extended permit ip any

    global (outside) 1 interface
    nat (INSIDE) 0 access-list INSIDE_nat0_outbound
    nat (INSIDE) 1
    nat (VLAN3) 0 access-list VLAN3_nat0_outbound
    nat (DMZ) 0 access-list DMZ_nat0_outbound
    route outside XXX.XXX.XXX.XXX 1

    ip local pool vpnpool mask

    LVL 79

    Accepted Solution

    Looks ok. What's not working now?
    What is the default gateway for systems on vlan3 that you need access to from the client ?

    Author Comment

    Works like a champ.
    Strange things were going on yesterday.
    Initiated a factory default reset on PIX, reconfigured with same config and now the PIX and I are having a good day.
    Thanks for clearing the cobwebs!
    LVL 79

    Expert Comment

    Glad you're working!

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now