[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Cisco Pix Vpn Client

Posted on 2007-10-16
Medium Priority
Last Modified: 2010-03-17
We have cisco pix at our office and remote user using cisco pix client for remote login. But we are using network on our office and this days most broadband router using network. most of users trying to connect out side office from broadband they can connect but cant' access to mail server and all other servers because of that same ip network . I have changed one users broadband ip from to 172.168 network and it works fine but it is not possible for all users. Is there any option ?
Question by:dat5904
  • 4
  • 3
  • 2
  • +1
LVL 29

Expert Comment

by:Jan Springer
ID: 20086125
Actually, the pool for the dynamic remote VPN customers should be of a different subnet than your private network off of the PIX.

With all of the 192.168.x.x, 172.16-172.31.x.x and 10.x.x.x address space available, you should be able to find a /24 that will be unique to everyone.
LVL 36

Accepted Solution

grblades earned 375 total points
ID: 20086175
I believe the issue isn't the fact that the IP pool being used by the VPN clients is on the 192.168.1.x network but the fact that the IP address range is assigned to the internal network.

Some versions of the cisco client have an option to 'permit access to local lan'. Unticking this may enable them to talk to your internal servers but I would not guarantee that it will work.

Other alternatives are :-

1) Change the IP range used by your network.

2) Install a router between the PIX and you internal network and configure it to perform NAT. For example if you put its other interface on the 192.168.50.x network then you could NAT between 192.168.50.x and 192.168.1.x on the router. The VPN clients would connect to the 192.168.50.x addresses and wont have an issue.
However this will mean depending of the client pc is at home or in the office they will need to connect to a different IP address. Also some protocols wont work over this NATing.

Option 1 is the best although more of a pain to do.
LVL 29

Expert Comment

by:Jan Springer
ID: 20086308
Like I said:

The subnet of the VPN client must be different from the pool on the PIX which must be different from the private subnet behind the PIX.

The VPN client is coming from a public IP
The pool could be RFC1918 subnet of
The PIX private network would be
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 36

Expert Comment

ID: 20086353
_jesper_ I believe the problem is if the home user is using a router such as a linksys, netgear, dlink, etc...
In this case the IP address of the machine running the VPN client is normally on the 192.168.1.x network
LVL 29

Expert Comment

by:Jan Springer
ID: 20086443
Doesn't matter.  I do this today :)

The remote VPN connection will be established from the public IP.

Expert Comment

ID: 20101130
grblades-- the vpn client overides the 192.168.x.x  on your Home network , if you do ipconfig  on a command prompt , you will see the vpn adapter Ip address come up... so jesper is right here

Expert Comment

ID: 20101146
To the original poster-- please show us your pix config..... can sort the problem out pretty quick...

many thanks
LVL 36

Expert Comment

ID: 20101208
Well the fact that the author has changed the IP address range on one site and it has fixed the problem shows that it was the issue.
Possibly if 'permit local lan access' was disabled on the cisco client that might have fixed it aswell but then the clients cannot access local network resources.

Author Comment

ID: 20101277
name MailServer
name MailServer2
access-list 101 permit ip
access-list outside_access_in deny ip any any
access-list 80 permit ip any
access-list smtp permit tcp any host eq smtp
access-list smtp_in permit tcp any host MailServer2 eq smtp
pager lines 24
logging console debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside public ip address
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0 0
static (inside,outside) tcp public ip address  smtp MailServer2 smtp netmask 255.255
.255.255 0 0
access-group smtp in interface outside
route outside public ip address
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host b0selecta timeout 10
http server enable
http inside
no snmp-server location
no snmp-server contact
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set client esp-3des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set client
crypto map vpn_map 10 ipsec-isakmp dynamic dynmap
crypto map vpn_map client configuration address initiate
crypto map vpn_map client configuration address respond
crypto map vpn_map client authentication partnerauth
crypto map vpn_map interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp client configuration address-pool local xxxxx outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup demo address-pool vpnclient
vpngroup demo dns-server
vpngroup demo wins-server
vpngroup demo idle-time 1800
vpngroup  password ********
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
terminal width 80
LVL 29

Expert Comment

by:Jan Springer
ID: 20102150
'disable local lan access' on the client and no split tunnel on the firewall is my preferred method to help keep the private network secure.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month20 days, 2 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question