Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Internal Network Access From VPN Question

Status
Not open for further replies.
judgestone

judgestone

IS-IT--Management
Oct 16, 2006
53
US
Here is present scenario:

Pix 506e, vpnuser's setup in it, to remote into our network. The problem I am having is:

Internal firewall interface address: 10.10.60.X, and it is connected to a layer 3 switch with vlans ranging from 10.10.60.X - 10.10.69.X. All internal 60.X - 69.X ip's can talk to each other and have been configured in the firewall and have no problems communicating. The firewall's internal port connected to the default 10.10.60.X's interface on the switch, and all other 10.10.60.X ips, have a default gateway of 10.10.60.254 (The switches vlan address). Again, all can talk as long as all 60.X's have a DGW of 10.10.60.254.

Now, when a remote user remotes in using VPN connection, someone before me set up their addresses to be 192.168.60.X. The users can connect no problem, but now since I have moved some servers to a 10.10.66.X address, they can not talk to it. They can still talk to servers with 10.10.60.XX addresses, no problem.

How do I get the 192.168.60 addresses to talk to other subnets that I have configured on my network/switch, and already configured in firewall for internal communications?

Any help will be greatly appreciated, and if you need more info please advise.
 
Sort by date Sort by votes
I may have answered my own question. I honestly haven't looked at the default gateway for the 10.10.60.X address of the firewall. I believe it is it's own ip address, and therefor routes back through itself for authority and internal to external traffic. I know that it is running DHCP and hand out 10.10.60.XX with it's self as the default gateway and dns for clients. I now have internal DNS and internal vlans on the layer 3 switch, and I am manually configuring each client's PC with a 10.10.68.X, default gateway of 10.10.68.254 , and 10.10.66.X, and 10.10.63.X for DNS. Any client PC that gets a 10.10.60.X address from the Pix, cannot talk to the other server, etc. since their default gateway is the pix's ip address. But wait, I can ping any vlan 60.X - 69.X address from the pix itself? Excuse me, I think it is because it is plugged into 10.10.60.254 switch's vlan ports, and since the switch itself is 10.10.60.254 and the switches default gateway is the pix is why.

Again, I think it has something to do with the default gateway setup. But, if I were to put 10.10.60.254 as the pix's default gateway, and if 10.10.60.254 has the pix's address as it's default gateway, wouldn't that just cause a loop or an extensive amount of network traffic?
 
Upvote 0 Downvote
DHCP on the pix is basic and you would in most cases be better off using either one of your routers or a server as the DCHP server, the pix will always set itself as the gateway and I'm 100% sure if you can actually change that, so if you have a old PC gathering dust somewhere you might just install basic linux and then use it as a DCHP server as it wouldn't need a lot of resources. Another complicated solution is to setup multiple logical interfaces and to enable different pool for each logical interface.

Hope that helps
 
Upvote 0 Downvote
Yes, I am manually configuring clients now with static ip addresses to be able to tell more from my syslogs. I will know that it is a specific pc and user now versus trying to look at DHCP logs and find the user.

The problem it looks like is that when a remote user logs in to our VPN, they receive a 192.168.60.X address and it is a host address on the outside interface. I did an ipconfig on a test pc logged into the vpn and it showed the actual ip address as it's default gateway. Again, it can ping any server/pc that has an ip address of 10.10.60.X, I assume since the pix's ip is 10.10.60.1.

I have tried a few things. I tried adding a route for 192.168.60.0 outside interface to 10.10.60.254 (layer 3 switch) and even 10.10.60.1 itself. I have tried every routing option that I can think of to no avail.

I could just set up a file server on a 10.10.60.X and set domain policy to map to it, but that bypasses why I set up my internal vlans in the first place with server being 10.10.66.X.

I have even changed the 192.168.60.X vpn addresses to 192.168.66.X, and set a route for this to 10.10.66.254 (layer 3 switches ip), I guess I could create a 192.168.60.X vlan on the switch with a default gw of 192.168.60.254 on the switch and set this info in the pix. The problem I see with that is, that there will be no physical connection into the vlan port on the switch and from what I see and understand you would have to have something plugged into that port to "enable" it, or it pings back not available, etc.

I just want my vpn remote users with 192.168.60.X addresses to be able to reach 10.10.66.X on my internal network. Again, they can reach any 10.10.60.X addresses no problem.
 
Upvote 0 Downvote
I figured it out. It was just a simple matter of putting in an assess rule versus trying to configure routes or rules in the vpn connections.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
875
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
375
hairlessupportmonkey
hairlessupportmonkey
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
370
gkittelson
gkittelson
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
306
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top