• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 297
  • Last Modified:

PIX Firewall VPN Server configuration details clarification regarding IP address assignment to remote access Cisco VPN clients

Shouldn't the range of IP addresses specified for assignment to Cisco remote access VPN clients (connecting to a PIX515 FW configured as a VPN server), be a group of addresses from the internal LAN network they are attempting to connect to?

Specifically, since our LAN behind the PIX Inside interface is a network shouldn't the "IP Local Pool" command in my PIX config also contain network addresses for assignment to our remote access Cisco VPN clients?

My remote access clients using Cisco VPN Client v4.8.00 can connect to our PIX FW set up as a VPN server but they cannot access any LAN resources, PING any LAN hosts, or browse the Web (and yes the PIX inside interface is the LAN gateway -

I fear I made a mistake using the PIX PDM GUI VPN wizard to try to enable VPN remote access.  I entered the IP addresses - for the "pool of Local IP addresses for VPN clients" and now the show run config has these lines containing IP addresses shown below that I do not understand:

access-list inside_outbound_NAT0_acl permit ip any
access-list inside_outbound_NAT0_acl permit ip

Thanx in advance for any help or pointers - my job does not permit me hours & hours to search out detailed configuration information for the "easily configurable via GUI appliance based firewall solution for SMBs" I made the mistake of purchasing!
1 Solution
hi there

<<Shouldn't the range of IP addresses specified for assignment to Cisco remote access VPN clients (connecting to a PIX515 FW configured as a VPN server), be a group of addresses from the internal LAN network they are attempting to connect to?
No - you should use a different range.  Packets from your inside network going to the vpn pool will not go to the pix as the destination address will be in their own network range - so will not be sent to the default gateway.

If you change your ip pool to for example and your access list to :
access-list inside_outbound_NAT0_acl permit ip
You should be able to access correctly.

If you have any issues - post your config and we can assist


dealvisAuthor Commented:
TY hth for that very helpful clarification.  I changed all references in PIX config where appeared to ,including IP Pool, NAT0 acl, and both cryptomap acls.

Remote access Cisco VPN clients can still connect successfully, but there is still no more functionality than before the config change (meaning they still can't browse the network or the web or ping LAN ( hosts, etc.)

I noticed the test laptop (remote VPN client) was indeed assigned a IP but the default Subnet Mask rather than the I (thought) I specified in the PIX config statements? Anyway here are most of the key PIX config parameters involved:

access-list Remote_Users_splitTunnelAcl permit ip any

access-list inside_outbound_nat0_acl permit ip any
access-list inside_outbound_nat0_acl permit ip
access-list outside_cryptomap_dyn_20 permit ip any
access-list outside_cryptomap_dyn_40 permit ip any

ip local pool RAUpool  

nat (inside) 0 access-list inside_outbound_nat0_acl  

sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac                                                            
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5                                                                    
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5                                                                    
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote_Users address-pool RAUpool
vpngroup Remote_Users dns-server
vpngroup Remote_Users wins-server
vpngroup Remote_Users default-domain bccweb.org
vpngroup Remote_Users split-tunnel Remote_Users_splitTunnelAcl
vpngroup Remote_Users idle-time 1800
vpngroup Remote_Users password ********

Feedback on obvious errors in the PIX config would be greatly appreciated - Thx!

Are your acl's taking hits properly ?

show access-list and you will see the hits.

The Nat 0 acl tells the PIX what to consider interesting traffic and send down the VPN connection.

You will have to allow icmp to be able to ping if I am not mistaken.

dealvisAuthor Commented:
Many Thanks to both Experts who responded with assistance.  If you are configuring "Split Tunnel" vpn access you may want to read on...

 I gave up and contacted Cisco today and let the Tech in to our PIX.  The problem preventing my Cisco Remote Access VPN Client from connecting to our internal LAN segment ( behind the PIX inside interface [after successfully negotiating an IP-Sec tunnel to the PIX's outside interface] was this (incorrect) PIX access-list statement in the configuration:

access-list Remote_Users_splitTunnelAcl permit ip any

The Cisco Support Tech changed the destination from "any" to "" (after 20 minutes of searching the PIX config).

So corrected it now looks like this:

access-list Remote_Users_splitTunnelAcl permit ip is the network I.D. of the vpn local address pool configured on the PIX:

ip local pool RAUpool mask

Lessons Learned:

Don't use the PIX PDM (Browser based GUI) to configure VPN server settings on the PIX (It was the PDM VPN Wizard that added the problem Split Tunneling entry)  

I am happy that now the remote access client can browse the internal network and web without any issues now.

Thanks again ExEx

PAQed with points refunded (125)

Community Support Moderator
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now