PIX 501 PPTP tunnel with internal hosts on same subnet as vpn client
Posted on 2009-04-03
PIX 501 6.3(5) -
ip pool for vpn: 192.168.100.40-192.168.100.49
Internal Network -
some devices on 10.10.30.0/24
some devices on 192.168.100.0/24
both subnets share the same ethernet segment (no VLAN's, just different ip's on the same wire)
VPN client: XP Pro pptp network connection (not a Cisco VPN client)
My inside network has 2 subnets, 10.10.30.0/24 and 192.168.100.0/24. I need an external client to make a PPTP vpn connection to the PIX and access devices on the 192.168.100.0/24 subnet on the inside network.
When my client makes the connection, they get 192.168.100.40. They can ping devices on 10.10.30.0/24, but not devices on 192.168.100.0/24.
I have a no-nat access list:
access-list 101 permit ip 10.10.30.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list 101
I am thinking I need to put a router between the 10.10.30.0 network and 192.168.100.0, then change the vpn pool to something other than 192.168.100.0. If I do that, and add a route in the PIX for 192.168.100.0 (e.g., route inside 192.168.100.0 255.255.255.0 10.10.30.<ip-of-router>).
My question is 2-fold:
1. Can I access more than one subnet on the inside from a PPTP connection?
2. If I put a router between 10.10.30.0 and 192.168.100.0, will the PPTP clients then be able to access that subnet?