Solved

PIX 501 PPTP tunnel with internal hosts on same subnet as vpn client

Posted on 2009-04-03
2
565 Views
Last Modified: 2012-06-21
PIX 501 6.3(5) -
inside: 10.10.30.1
ip pool for vpn: 192.168.100.40-192.168.100.49

Internal Network -
some devices on 10.10.30.0/24
some devices on 192.168.100.0/24
both subnets share the same ethernet segment (no VLAN's, just different ip's on the same wire)

VPN client: XP Pro pptp network connection (not a Cisco VPN client)

My inside network has 2 subnets, 10.10.30.0/24 and 192.168.100.0/24.  I need an external client to make a PPTP vpn connection to the PIX and access devices on the 192.168.100.0/24 subnet on the inside network.

When my client makes the connection, they get 192.168.100.40.  They can ping devices on 10.10.30.0/24, but not devices on 192.168.100.0/24.

I have a no-nat access list:
access-list 101 permit ip 10.10.30.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list 101

I am thinking I need to put a router between the 10.10.30.0 network and 192.168.100.0, then change the vpn pool to something other than 192.168.100.0.  If I do that, and add a route in the PIX for 192.168.100.0 (e.g., route inside 192.168.100.0 255.255.255.0 10.10.30.<ip-of-router>).

My question is 2-fold:

1.  Can I access more than one subnet on the inside from a PPTP connection?

2.  If I put a router between 10.10.30.0 and 192.168.100.0, will the PPTP clients then be able to access that subnet?

Thanks.
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Expert Comment

by:Hotwaffles
ID: 24209851
change the ip pool you are using for the vpn clients.  The issue I beleive is the pix thinks the vpn user is on its internal subnet because of the ip but it cannot route traffic back through the same interface.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 24356764
It was initially a different subnet, and that did not work either.  I believe the root problem is that the PIX does not support any internal network not configured on the inside interface (other than the VPN pool), and you can't add sub-interfaces on a PIX 501.

A VPN client, then, can only access devices in the VPN pool or the inside interface.  I considered a 2nd router and routing to the device I need to reach, but the end device does not support an IP gateway (yes, that's correct...IP address and subnet mask only - no entry for default gateway), so even if I can get packets *to* the device, they will not return to an intermediate router without a default gateway.

I solved this as "not possible with existing hardware".
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will step through configuring a SonicWALL appliance to utilize an internal DHCP server for Global VPN Client (GVC) hosts.  There are times when using an external (external to the SonicWALL) DHCP server, such as Windows Servers, isn’t pr…
When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question