graham at g-rock
Nov 29, 2009, 8:42 PM
Post #6 of 6
(491 views)
Permalink
|
Right, the subnet that I need access to is not publically routable but is on
outside of this particular interface.
Thanks to you and everyone that chimed in. I am going to see if I can
re-purpose my other 525 running 7.0.2 and get it upgraded to 7.2 or do an
upgrade on this one.
-graham
On 11/29/09 10:33 PM, "Tony" <td_miles [at] yahoo> wrote:
> Hi Graham,
>
> If I understand correctly then you're saying that when you have a VPN client
> session open you can't access subnets that are on the outside of your PIX from
> the client that has the VPN session up ?
>
> Would the subnet in question be accessible from the client if it did NOT use a
> VPN tunnel (ie. is the subnet a generally accessible Internet address) ?
>
> If the subnet is accessible without the client tunnel up, then what you need
> is split tunneling. If this isn't working then you need to look at why it
> isn't.
>
> If this isn't what you want, and you actually WANT traffic to go from client
> across the VPN tunnel to PIX and then back out the outside interface then a
> 6.3 won't support this.
>
> You need to have at least 7.2.1 or higher code and use the command:
>
> same-security-traffic permit intra-interface
>
> http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.
> shtml
> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.htm
> l#wp1289167
>
>
> regards,
> Tony.
>
>
> --- On Mon, 30/11/09, Graham Wooden <graham [at] g-rock> wrote:
>
>> From: Graham Wooden <graham [at] g-rock>
>> Subject: [c-nsp] Client VPN issue with PIX v6.3
>> To: "cisco-nsp" <cisco-nsp [at] puck>
>> Received: Monday, 30 November, 2009, 2:53 PM
>> Hi all,
>>
>> One of my VPN devices is a 525 running v6.3.5. I am
>> having an issue with
>> Client VPN sessions coming in on the outside interface
>> while accessing
>> subnets that are reached by outside interface. I can access
>> the "inside"
>> interface addresses just fine. Is there some sort of
>> limitation that I
>> can't access subnets out past the outside interface while
>> having VPN
>> sessions terminating on the same interface? I tried
>> to add these subnets to
>> the split-tunnel acl with no love either.
>>
>> Thoughts? I have a v7.0.2 525 that is being tied up
>> with another setup, so
>> I can't test on 7.x code - but if if an upgrade is needed
>> to solve this, let
>> me know...
>>
>> Thanks!
>>
>> -graham
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>
> ______________________________________________________________________________
> ____
> Win 1 of 4 Sony home entertainment packs thanks to Yahoo!7.
> Enter now: http://au.docs.yahoo.com/homepageset/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
|
