Archived from groups: comp.dcom.sys.cisco,comp.dcom.vpn,comp.security.firewalls (More info?)

I just set up VPN on a PIX 525, and I need some assistance. Our network
consists of networks in either 10.32.0.0 or 10.26.0.0. With these networks,
we may have subnets such as 10.32.10.0, 10.26.50.0...etc (you get the idea).
So when setting up the VPN, here's the lines I used:

access-list split-tunnel permit ip 10.32.0.0 255.255.0.0 192.168.50.0
255.255.255.0
access-list split-tunnel permit ip 10.26.0.0 255.255.0.0 192.168.50.0
255.255.255.0

and

access-list nat0 permit ip 10.32.0.0 255.255.0.0 192.168.50.0 255.255.255.0
access-list nat0 permit ip 10.26.0.0 255.255.0.0 192.168.50.0 255.255.255.0

Ok, from what I know from my limited experience, I expect that everyone
coming in via VPN should have access to the 10.32.0.0 and 10.26.0.0
networks. But that doesn't appear to be the case....since some servers and
other equipment within those networks aren't accessible when connected via
VPN (By the way, the Cisco VPN client is showing the "secured routes" as
being 10.26.0.0 255.255.0.0 and 10.32.0.0 255.255.0.0).

An example would be servers or routers/switches on 10.26.16.0...or
10.32.35.0. I simply can't access them when I'm connected via this PIX VPN.
When I try to ping their IP addresses, it simply times out. Can someone
please help my in figuring out why I can access "most" equipment on my two
networks while I can't access others?

Thanks much in advance!

Archived from groups: comp.dcom.sys.cisco,comp.dcom.vpn,comp.security.firewalls (More info?)

Are you absolutly certain, that this is not a simple route issue ?

meaning that the 10nw knows the route back to the Cisco VPN Clients ...
(try from a server to ping the clients)
and that you do not have any personal firewall services installed on
servers/clients

else try post your cfg

hth
Martin Bilgrav


"Jon Doe" <jdoe@comcast.net> wrote in message
news:lLadnQSrJ-C2XYHeRVn-jg@comcast.com...
> I just set up VPN on a PIX 525, and I need some assistance. Our network
> consists of networks in either 10.32.0.0 or 10.26.0.0. With these
networks,
> we may have subnets such as 10.32.10.0, 10.26.50.0...etc (you get the
idea).
> So when setting up the VPN, here's the lines I used:
>
> access-list split-tunnel permit ip 10.32.0.0 255.255.0.0 192.168.50.0
> 255.255.255.0
> access-list split-tunnel permit ip 10.26.0.0 255.255.0.0 192.168.50.0
> 255.255.255.0
>
> and
>
> access-list nat0 permit ip 10.32.0.0 255.255.0.0 192.168.50.0
255.255.255.0
> access-list nat0 permit ip 10.26.0.0 255.255.0.0 192.168.50.0
255.255.255.0
>
> Ok, from what I know from my limited experience, I expect that everyone
> coming in via VPN should have access to the 10.32.0.0 and 10.26.0.0
> networks. But that doesn't appear to be the case....since some servers and
> other equipment within those networks aren't accessible when connected via
> VPN (By the way, the Cisco VPN client is showing the "secured routes" as
> being 10.26.0.0 255.255.0.0 and 10.32.0.0 255.255.0.0).
>
> An example would be servers or routers/switches on 10.26.16.0...or
> 10.32.35.0. I simply can't access them when I'm connected via this PIX
VPN.
> When I try to ping their IP addresses, it simply times out. Can someone
> please help my in figuring out why I can access "most" equipment on my two
> networks while I can't access others?
>
> Thanks much in advance!
>
>

Archived from groups: comp.dcom.sys.cisco,comp.dcom.vpn,comp.security.firewalls (More info?)

"Martin Bilgrav" <bilgravCUTTHISOUT@image.dk> wrote in message
news:Xb4Te.66830$Fe7.224543@news000.worldonline.dk...
> Are you absolutly certain, that this is not a simple route issue ?
>
> meaning that the 10nw knows the route back to the Cisco VPN Clients ...
> (try from a server to ping the clients)
> and that you do not have any personal firewall services installed on
> servers/clients

That's really what I'm trying to figure out. Also, as I mentioned before,
this is not a case in which the VPN clients can't get *anywhere* on the
network. For instance, when I connect from home to VPN, I'm able to get to
most (I'll give a rough estimate of 85%) of whatever I need to get access
to. By the way, we're very heavy into VLANs here... in case that might have
anything to do with it.

So, it's only a few VLANs here and there that I cannot get access to. The
main reason I got word of this problem was that while connected to this new
VPN, we can no longer get access to a few of our routers or switches... so
we can't administer them while at home (which we really need to be able to
do).

I should also mention here that the whole reason for the cisco vpn is that
we're trying to get rid of the microsoft pptp vpn currently in place. When
connected to the microsoft vpn, I have access to *everything*.

Archived from groups: comp.dcom.sys.cisco,comp.dcom.vpn,comp.security.firewalls (More info?)

please verify our route-statements/protocols, and if there is any VACLs in
place, ACL on routers etc.
The IP pool used for VPN must be routed and allowed.

GL

HTH

MArtin

"Jon Doe" <jdoe@comcast.net> skrev i en meddelelse
news:ZPOdnS48bMf5fYHeRVn-tg@comcast.com...
>
> "Martin Bilgrav" <bilgravCUTTHISOUT@image.dk> wrote in message
> news:Xb4Te.66830$Fe7.224543@news000.worldonline.dk...
> > Are you absolutly certain, that this is not a simple route issue ?
> >
> > meaning that the 10nw knows the route back to the Cisco VPN Clients ...
> > (try from a server to ping the clients)
> > and that you do not have any personal firewall services installed on
> > servers/clients
>
> That's really what I'm trying to figure out. Also, as I mentioned before,
> this is not a case in which the VPN clients can't get *anywhere* on the
> network. For instance, when I connect from home to VPN, I'm able to get to
> most (I'll give a rough estimate of 85%) of whatever I need to get access
> to. By the way, we're very heavy into VLANs here... in case that might
have
> anything to do with it.
>
> So, it's only a few VLANs here and there that I cannot get access to. The
> main reason I got word of this problem was that while connected to this
new
> VPN, we can no longer get access to a few of our routers or switches... so
> we can't administer them while at home (which we really need to be able to
> do).
>
> I should also mention here that the whole reason for the cisco vpn is that
> we're trying to get rid of the microsoft pptp vpn currently in place. When
> connected to the microsoft vpn, I have access to *everything*.
>
>