Cisco Pix Vpn Client

Posted on 2007-10-16
Last Modified: 2010-03-17
We have cisco pix at our office and remote user using cisco pix client for remote login. But we are using network on our office and this days most broadband router using network. most of users trying to connect out side office from broadband they can connect but cant' access to mail server and all other servers because of that same ip network . I have changed one users broadband ip from to 172.168 network and it works fine but it is not possible for all users. Is there any option ?
Question by:dat5904
    LVL 28

    Expert Comment

    by:Jan Springer
    Actually, the pool for the dynamic remote VPN customers should be of a different subnet than your private network off of the PIX.

    With all of the 192.168.x.x, 172.16-172.31.x.x and 10.x.x.x address space available, you should be able to find a /24 that will be unique to everyone.
    LVL 36

    Accepted Solution

    I believe the issue isn't the fact that the IP pool being used by the VPN clients is on the 192.168.1.x network but the fact that the IP address range is assigned to the internal network.

    Some versions of the cisco client have an option to 'permit access to local lan'. Unticking this may enable them to talk to your internal servers but I would not guarantee that it will work.

    Other alternatives are :-

    1) Change the IP range used by your network.

    2) Install a router between the PIX and you internal network and configure it to perform NAT. For example if you put its other interface on the 192.168.50.x network then you could NAT between 192.168.50.x and 192.168.1.x on the router. The VPN clients would connect to the 192.168.50.x addresses and wont have an issue.
    However this will mean depending of the client pc is at home or in the office they will need to connect to a different IP address. Also some protocols wont work over this NATing.

    Option 1 is the best although more of a pain to do.
    LVL 28

    Expert Comment

    by:Jan Springer
    Like I said:

    The subnet of the VPN client must be different from the pool on the PIX which must be different from the private subnet behind the PIX.

    The VPN client is coming from a public IP
    The pool could be RFC1918 subnet of
    The PIX private network would be
    LVL 36

    Expert Comment

    _jesper_ I believe the problem is if the home user is using a router such as a linksys, netgear, dlink, etc...
    In this case the IP address of the machine running the VPN client is normally on the 192.168.1.x network
    LVL 28

    Expert Comment

    by:Jan Springer
    Doesn't matter.  I do this today :)

    The remote VPN connection will be established from the public IP.
    LVL 4

    Expert Comment

    grblades-- the vpn client overides the 192.168.x.x  on your Home network , if you do ipconfig  on a command prompt , you will see the vpn adapter Ip address come up... so jesper is right here
    LVL 4

    Expert Comment

    To the original poster-- please show us your pix config..... can sort the problem out pretty quick...

    many thanks
    LVL 36

    Expert Comment

    Well the fact that the author has changed the IP address range on one site and it has fixed the problem shows that it was the issue.
    Possibly if 'permit local lan access' was disabled on the cisco client that might have fixed it aswell but then the clients cannot access local network resources.

    Author Comment

    name MailServer
    name MailServer2
    access-list 101 permit ip
    access-list outside_access_in deny ip any any
    access-list 80 permit ip any
    access-list smtp permit tcp any host eq smtp
    access-list smtp_in permit tcp any host MailServer2 eq smtp
    pager lines 24
    logging console debugging
    interface ethernet0 auto
    interface ethernet1 auto
    mtu outside 1500
    mtu inside 1500
    ip address outside public ip address
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnclient
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0 0
    static (inside,outside) tcp public ip address  smtp MailServer2 smtp netmask 255.255
    .255.255 0 0
    access-group smtp in interface outside
    route outside public ip address
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server partnerauth protocol radius
    aaa-server partnerauth (inside) host b0selecta timeout 10
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt ipsec pl-compatible
    no sysopt route dnat
    crypto ipsec transform-set client esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 1 set transform-set client
    crypto map vpn_map 10 ipsec-isakmp dynamic dynmap
    crypto map vpn_map client configuration address initiate
    crypto map vpn_map client configuration address respond
    crypto map vpn_map client authentication partnerauth
    crypto map vpn_map interface outside
    isakmp enable outside
    isakmp key ******** address netmask
    isakmp identity address
    isakmp client configuration address-pool local xxxxx outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup demo address-pool vpnclient
    vpngroup demo dns-server
    vpngroup demo wins-server
    vpngroup demo idle-time 1800
    vpngroup  password ********
    telnet inside
    telnet timeout 5
    ssh outside
    ssh timeout 5
    terminal width 80
    LVL 28

    Expert Comment

    by:Jan Springer
    'disable local lan access' on the client and no split tunnel on the firewall is my preferred method to help keep the private network secure.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Suggested Solutions

    For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
    Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now