Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 569
  • Last Modified:

PIX 501 PPTP tunnel with internal hosts on same subnet as vpn client

PIX 501 6.3(5) -
inside: 10.10.30.1
ip pool for vpn: 192.168.100.40-192.168.100.49

Internal Network -
some devices on 10.10.30.0/24
some devices on 192.168.100.0/24
both subnets share the same ethernet segment (no VLAN's, just different ip's on the same wire)

VPN client: XP Pro pptp network connection (not a Cisco VPN client)

My inside network has 2 subnets, 10.10.30.0/24 and 192.168.100.0/24.  I need an external client to make a PPTP vpn connection to the PIX and access devices on the 192.168.100.0/24 subnet on the inside network.

When my client makes the connection, they get 192.168.100.40.  They can ping devices on 10.10.30.0/24, but not devices on 192.168.100.0/24.

I have a no-nat access list:
access-list 101 permit ip 10.10.30.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list 101

I am thinking I need to put a router between the 10.10.30.0 network and 192.168.100.0, then change the vpn pool to something other than 192.168.100.0.  If I do that, and add a route in the PIX for 192.168.100.0 (e.g., route inside 192.168.100.0 255.255.255.0 10.10.30.<ip-of-router>).

My question is 2-fold:

1.  Can I access more than one subnet on the inside from a PPTP connection?

2.  If I put a router between 10.10.30.0 and 192.168.100.0, will the PPTP clients then be able to access that subnet?

Thanks.
0
snowdog_2112
Asked:
snowdog_2112
1 Solution
 
HotwafflesCommented:
change the ip pool you are using for the vpn clients.  The issue I beleive is the pix thinks the vpn user is on its internal subnet because of the ip but it cannot route traffic back through the same interface.
0
 
snowdog_2112Author Commented:
It was initially a different subnet, and that did not work either.  I believe the root problem is that the PIX does not support any internal network not configured on the inside interface (other than the VPN pool), and you can't add sub-interfaces on a PIX 501.

A VPN client, then, can only access devices in the VPN pool or the inside interface.  I considered a 2nd router and routing to the device I need to reach, but the end device does not support an IP gateway (yes, that's correct...IP address and subnet mask only - no entry for default gateway), so even if I can get packets *to* the device, they will not return to an intermediate router without a default gateway.

I solved this as "not possible with existing hardware".
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now