PIX Firewall VPN Server configuration details clarification regarding IP address assignment to remote access Cisco VPN clients
Posted on 2006-06-08
Shouldn't the range of IP addresses specified for assignment to Cisco remote access VPN clients (connecting to a PIX515 FW configured as a VPN server), be a group of addresses from the internal LAN network they are attempting to connect to?
Specifically, since our LAN behind the PIX Inside interface is a 192.168.0.0/24 network shouldn't the "IP Local Pool" command in my PIX config also contain 192.168.0.0 network addresses for assignment to our remote access Cisco VPN clients?
My remote access clients using Cisco VPN Client v4.8.00 can connect to our PIX FW set up as a VPN server but they cannot access any LAN resources, PING any LAN hosts, or browse the Web (and yes the PIX inside interface is the LAN gateway - 192.168.0.1)
I fear I made a mistake using the PIX PDM GUI VPN wizard to try to enable VPN remote access. I entered the IP addresses 192.168.0.180 - 192.168.0.190 for the "pool of Local IP addresses for VPN clients" and now the show run config has these lines containing IP addresses shown below that I do not understand:
access-list inside_outbound_NAT0_acl permit ip any 192.168.0.176 255.255.255.240
access-list inside_outbound_NAT0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.176 255.255.255.240
Thanx in advance for any help or pointers - my job does not permit me hours & hours to search out detailed configuration information for the "easily configurable via GUI appliance based firewall solution for SMBs" I made the mistake of purchasing!