Solved

PIX 501 PPTP tunnel with internal hosts on same subnet as vpn client

Posted on 2009-04-03
2
563 Views
Last Modified: 2012-06-21
PIX 501 6.3(5) -
inside: 10.10.30.1
ip pool for vpn: 192.168.100.40-192.168.100.49

Internal Network -
some devices on 10.10.30.0/24
some devices on 192.168.100.0/24
both subnets share the same ethernet segment (no VLAN's, just different ip's on the same wire)

VPN client: XP Pro pptp network connection (not a Cisco VPN client)

My inside network has 2 subnets, 10.10.30.0/24 and 192.168.100.0/24.  I need an external client to make a PPTP vpn connection to the PIX and access devices on the 192.168.100.0/24 subnet on the inside network.

When my client makes the connection, they get 192.168.100.40.  They can ping devices on 10.10.30.0/24, but not devices on 192.168.100.0/24.

I have a no-nat access list:
access-list 101 permit ip 10.10.30.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list 101

I am thinking I need to put a router between the 10.10.30.0 network and 192.168.100.0, then change the vpn pool to something other than 192.168.100.0.  If I do that, and add a route in the PIX for 192.168.100.0 (e.g., route inside 192.168.100.0 255.255.255.0 10.10.30.<ip-of-router>).

My question is 2-fold:

1.  Can I access more than one subnet on the inside from a PPTP connection?

2.  If I put a router between 10.10.30.0 and 192.168.100.0, will the PPTP clients then be able to access that subnet?

Thanks.
0
Comment
Question by:snowdog_2112
2 Comments
 
LVL 1

Expert Comment

by:Hotwaffles
ID: 24209851
change the ip pool you are using for the vpn clients.  The issue I beleive is the pix thinks the vpn user is on its internal subnet because of the ip but it cannot route traffic back through the same interface.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 24356764
It was initially a different subnet, and that did not work either.  I believe the root problem is that the PIX does not support any internal network not configured on the inside interface (other than the VPN pool), and you can't add sub-interfaces on a PIX 501.

A VPN client, then, can only access devices in the VPN pool or the inside interface.  I considered a 2nd router and routing to the device I need to reach, but the end device does not support an IP gateway (yes, that's correct...IP address and subnet mask only - no entry for default gateway), so even if I can get packets *to* the device, they will not return to an intermediate router without a default gateway.

I solved this as "not possible with existing hardware".
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network Upgrade 4 76
6500 series with 2T sup - ios upgrade and restore config from usb how-to 1 71
Windows 10 and VLANs don't work (any update) 5 151
Connect two buildings 6 47
 One of the main issues with network wires is that you never have enough.  You run plenty and plan for the worst case but you still end up needing more.  What many people do not realize is with 10BaseT and 100BaseT (but not 1000BaseT) networks you …
This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question