?
Solved

PIX 501 PPTP tunnel with internal hosts on same subnet as vpn client

Posted on 2009-04-03
2
Medium Priority
?
566 Views
Last Modified: 2012-06-21
PIX 501 6.3(5) -
inside: 10.10.30.1
ip pool for vpn: 192.168.100.40-192.168.100.49

Internal Network -
some devices on 10.10.30.0/24
some devices on 192.168.100.0/24
both subnets share the same ethernet segment (no VLAN's, just different ip's on the same wire)

VPN client: XP Pro pptp network connection (not a Cisco VPN client)

My inside network has 2 subnets, 10.10.30.0/24 and 192.168.100.0/24.  I need an external client to make a PPTP vpn connection to the PIX and access devices on the 192.168.100.0/24 subnet on the inside network.

When my client makes the connection, they get 192.168.100.40.  They can ping devices on 10.10.30.0/24, but not devices on 192.168.100.0/24.

I have a no-nat access list:
access-list 101 permit ip 10.10.30.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list 101

I am thinking I need to put a router between the 10.10.30.0 network and 192.168.100.0, then change the vpn pool to something other than 192.168.100.0.  If I do that, and add a route in the PIX for 192.168.100.0 (e.g., route inside 192.168.100.0 255.255.255.0 10.10.30.<ip-of-router>).

My question is 2-fold:

1.  Can I access more than one subnet on the inside from a PPTP connection?

2.  If I put a router between 10.10.30.0 and 192.168.100.0, will the PPTP clients then be able to access that subnet?

Thanks.
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Expert Comment

by:Hotwaffles
ID: 24209851
change the ip pool you are using for the vpn clients.  The issue I beleive is the pix thinks the vpn user is on its internal subnet because of the ip but it cannot route traffic back through the same interface.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 24356764
It was initially a different subnet, and that did not work either.  I believe the root problem is that the PIX does not support any internal network not configured on the inside interface (other than the VPN pool), and you can't add sub-interfaces on a PIX 501.

A VPN client, then, can only access devices in the VPN pool or the inside interface.  I considered a 2nd router and routing to the device I need to reach, but the end device does not support an IP gateway (yes, that's correct...IP address and subnet mask only - no entry for default gateway), so even if I can get packets *to* the device, they will not return to an intermediate router without a default gateway.

I solved this as "not possible with existing hardware".
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month13 days, 21 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question