[c-nsp] Client VPN issue with PIX v6.3

Graham Wooden graham at g-rock.net
Sun Nov 29 23:42:25 EST 2009 

Right, the subnet that I need access to is not publically routable but is on
outside of this particular interface.

Thanks to you and everyone that chimed in.  I am going to see if I can
re-purpose my other 525 running 7.0.2 and get it upgraded to 7.2 or do an
upgrade on this one.

-graham


On 11/29/09 10:33 PM, "Tony" <td_miles at yahoo.com> wrote:

> Hi Graham,
> 
> If I understand correctly then you're saying that when you have a VPN client
> session open you can't access subnets that are on the outside of your PIX from
> the client that has the VPN session up ?
> 
> Would the subnet in question be accessible from the client if it did NOT use a
> VPN tunnel (ie. is the subnet a generally accessible Internet address) ?
> 
> If the subnet is accessible without the client tunnel up, then what you need
> is split tunneling. If this isn't working then you need to look at why it
> isn't.
> 
> If this isn't what you want, and you actually WANT traffic to go from client
> across the VPN tunnel to PIX and then back out the outside interface then a
> 6.3 won't support this.
> 
> You need to have at least 7.2.1 or higher code and use the command:
> 
> same-security-traffic permit intra-interface
> 
> http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.
> shtml
> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.htm
> l#wp1289167
> 
> 
> regards,
> Tony.
> 
> 
> --- On Mon, 30/11/09, Graham Wooden <graham at g-rock.net> wrote:
> 
>> From: Graham Wooden <graham at g-rock.net>
>> Subject: [c-nsp] Client VPN issue with PIX v6.3
>> To: "cisco-nsp" <cisco-nsp at puck.nether.net>
>> Received: Monday, 30 November, 2009, 2:53 PM
>> Hi all,
>> 
>> One of my VPN devices is a 525 running v6.3.5.  I am
>> having an issue with
>> Client VPN sessions coming in on the outside interface
>> while accessing
>> subnets that are reached by outside interface. I can access
>> the "inside"
>> interface addresses just fine.  Is there some sort of
>> limitation that I
>> can't access subnets out past the outside interface while
>> having VPN
>> sessions terminating on the same interface?  I tried
>> to add these subnets to
>> the split-tunnel acl with no love either.
>> 
>> Thoughts?  I have a v7.0.2 525 that is being tied up
>> with another setup, so
>> I can't test on 7.x code - but if if an upgrade is needed
>> to solve this, let
>> me know...
>> 
>> Thanks!
>> 
>> -graham
>> 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 
> 
>       
> ______________________________________________________________________________
> ____
> Win 1 of 4 Sony home entertainment packs thanks to Yahoo!7.
> Enter now: http://au.docs.yahoo.com/homepageset/
>

More information about the cisco-nsp mailing list