Cisco Pix Vpn Client

We have cisco pix at our office and remote user using cisco pix client for remote login. But we are using 192.168.1.0 network on our office and this days most broadband router using 192.168.1.0 network. most of users trying to connect out side office from broadband they can connect but cant' access to mail server and all other servers because of that same ip network . I have changed one users broadband ip from 192.168.1.0 to 172.168 network and it works fine but it is not possible for all users. Is there any option ?
dat5904Asked:
Who is Participating?
 
grbladesConnect With a Mentor Commented:
I believe the issue isn't the fact that the IP pool being used by the VPN clients is on the 192.168.1.x network but the fact that the IP address range is assigned to the internal network.

Some versions of the cisco client have an option to 'permit access to local lan'. Unticking this may enable them to talk to your internal servers but I would not guarantee that it will work.

Other alternatives are :-

1) Change the IP range used by your network.

2) Install a router between the PIX and you internal network and configure it to perform NAT. For example if you put its other interface on the 192.168.50.x network then you could NAT between 192.168.50.x and 192.168.1.x on the router. The VPN clients would connect to the 192.168.50.x addresses and wont have an issue.
However this will mean depending of the client pc is at home or in the office they will need to connect to a different IP address. Also some protocols wont work over this NATing.

Option 1 is the best although more of a pain to do.
0
 
Jan SpringerCommented:
Actually, the pool for the dynamic remote VPN customers should be of a different subnet than your private network off of the PIX.

With all of the 192.168.x.x, 172.16-172.31.x.x and 10.x.x.x address space available, you should be able to find a /24 that will be unique to everyone.
0
 
Jan SpringerCommented:
Like I said:

The subnet of the VPN client must be different from the pool on the PIX which must be different from the private subnet behind the PIX.

The VPN client is coming from a public IP
The pool could be RFC1918 subnet of 10.254.0.0/24
The PIX private network would be 192.168.1.0/24
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
grbladesCommented:
_jesper_ I believe the problem is if the home user is using a router such as a linksys, netgear, dlink, etc...
In this case the IP address of the machine running the VPN client is normally on the 192.168.1.x network
0
 
Jan SpringerCommented:
Doesn't matter.  I do this today :)

The remote VPN connection will be established from the public IP.
0
 
peterelvidgeCommented:
grblades-- the vpn client overides the 192.168.x.x  on your Home network , if you do ipconfig  on a command prompt , you will see the vpn adapter Ip address come up... so jesper is right here
0
 
peterelvidgeCommented:
To the original poster-- please show us your pix config..... can sort the problem out pretty quick...


many thanks
0
 
grbladesCommented:
Well the fact that the author has changed the IP address range on one site and it has fixed the problem shows that it was the issue.
Possibly if 'permit local lan access' was disabled on the cisco client that might have fixed it aswell but then the clients cannot access local network resources.
0
 
dat5904Author Commented:
name 192.168.1.1 MailServer
name 192.168.1.9 MailServer2
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in deny ip any any
access-list 80 permit ip any 192.168.1.0 255.255.255.0
access-list smtp permit tcp any host 212.103.235.41 eq smtp
access-list smtp_in permit tcp any host MailServer2 eq smtp
pager lines 24
logging console debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside public ip address 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient 192.168.100.1-192.168.100.50
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp public ip address  smtp MailServer2 smtp netmask 255.255
.255.255 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 public ip address
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.1.8 b0selecta timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set client esp-3des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set client
crypto map vpn_map 10 ipsec-isakmp dynamic dynmap
crypto map vpn_map client configuration address initiate
crypto map vpn_map client configuration address respond
crypto map vpn_map client authentication partnerauth
crypto map vpn_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local xxxxx outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup demo address-pool vpnclient
vpngroup demo dns-server 192.168.1.7 192.168.1.8
vpngroup demo wins-server 192.168.1.7 192.168.1.8
vpngroup demo idle-time 1800
vpngroup  password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 81.152.228.154 255.255.255.255 outside
ssh timeout 5
terminal width 80
0
 
Jan SpringerCommented:
'disable local lan access' on the client and no split tunnel on the firewall is my preferred method to help keep the private network secure.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.