[c-nsp] Client VPN issue with PIX v6.3

Tony td_miles at yahoo.com
Sun Nov 29 23:33:10 EST 2009


Hi Graham,

If I understand correctly then you're saying that when you have a VPN client session open you can't access subnets that are on the outside of your PIX from the client that has the VPN session up ?

Would the subnet in question be accessible from the client if it did NOT use a VPN tunnel (ie. is the subnet a generally accessible Internet address) ?

If the subnet is accessible without the client tunnel up, then what you need is split tunneling. If this isn't working then you need to look at why it isn't.

If this isn't what you want, and you actually WANT traffic to go from client across the VPN tunnel to PIX and then back out the outside interface then a 6.3 won't support this.

You need to have at least 7.2.1 or higher code and use the command:

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167


regards,
Tony.


--- On Mon, 30/11/09, Graham Wooden <graham at g-rock.net> wrote:

> From: Graham Wooden <graham at g-rock.net>
> Subject: [c-nsp] Client VPN issue with PIX v6.3
> To: "cisco-nsp" <cisco-nsp at puck.nether.net>
> Received: Monday, 30 November, 2009, 2:53 PM
> Hi all,
> 
> One of my VPN devices is a 525 running v6.3.5.  I am
> having an issue with
> Client VPN sessions coming in on the outside interface
> while accessing
> subnets that are reached by outside interface. I can access
> the "inside"
> interface addresses just fine.  Is there some sort of
> limitation that I
> can't access subnets out past the outside interface while
> having VPN
> sessions terminating on the same interface?  I tried
> to add these subnets to
> the split-tunnel acl with no love either.
> 
> Thoughts?  I have a v7.0.2 525 that is being tied up
> with another setup, so
> I can't test on 7.x code - but if if an upgrade is needed
> to solve this, let
> me know...
> 
> Thanks!
> 
> -graham
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


      __________________________________________________________________________________
Win 1 of 4 Sony home entertainment packs thanks to Yahoo!7.
Enter now: http://au.docs.yahoo.com/homepageset/



More information about the cisco-nsp mailing list