Pix 506e, VPN, and overlapping pools... a love story

Discussion in 'Cisco' started by Nate Smith, Oct 21, 2003.

  1. Nate Smith

    Nate Smith Guest

    Hi gurus:

    I'm a software developer and not much of a hardware guy so please bear with
    me. I'm trying to setup my Cisco 506e VPN and am not understanding
    something. I am using the PDM and running the VPN wizard. Everything is
    fine until the step where I tell the VPN which block of IP's to use for
    remote connections. I setup my DHCP to give out 192.168.1.100 -
    192.168.1.254. I have some static internal IP's setup for a domain server
    and some printers. They are down in the 192.168.1.2-x.x.x.6 range. My
    intention was to give incoming VPN clients 192.168.1.50-192.168.1.99 but it
    tells me that the pool I am trying to define overlaps a global pool. I have
    th following in my config:

    global (outside) 2 interface
    global (inside) 1 192.168.1.10-192.168.1.254 netmask 255.255.255.0

    I guess I'm not understanding what global is for. I would like the internal
    IP layout to look like this:

    192.168.1.1 = PIX
    192.168.1.2-49 = Internal Statics
    192.168.1.50-99 = VPN Clients
    192.168.1.100-254 = Internal DHCP Clients

    I was able to give the pool of 10.10.0.1 - 10.10.0.255 and get the thing
    working. Was able to connect, authenticate, etc. I had a 10.10.0.1 IP on
    the client and was able to communicate with it. But I want the VPN clients
    to be on the same subnet as the internal clients.

    Any clarification on this would be GREATLY appreciated! I'm oso lost.

    Best regards,

    Nate
    Nate Smith, Oct 21, 2003
    #1
    1. Advertising

  2. Nate Smith

    Brian V Guest

    they can't be. The vpn users must be on a seperate subnet than the internal
    users. The pix won't allow it.

    "Nate Smith" <> wrote in message
    news:...
    > Hi gurus:
    >
    > I'm a software developer and not much of a hardware guy so please bear

    with
    > me. I'm trying to setup my Cisco 506e VPN and am not understanding
    > something. I am using the PDM and running the VPN wizard. Everything is
    > fine until the step where I tell the VPN which block of IP's to use for
    > remote connections. I setup my DHCP to give out 192.168.1.100 -
    > 192.168.1.254. I have some static internal IP's setup for a domain server
    > and some printers. They are down in the 192.168.1.2-x.x.x.6 range. My
    > intention was to give incoming VPN clients 192.168.1.50-192.168.1.99 but

    it
    > tells me that the pool I am trying to define overlaps a global pool. I

    have
    > th following in my config:
    >
    > global (outside) 2 interface
    > global (inside) 1 192.168.1.10-192.168.1.254 netmask 255.255.255.0
    >
    > I guess I'm not understanding what global is for. I would like the

    internal
    > IP layout to look like this:
    >
    > 192.168.1.1 = PIX
    > 192.168.1.2-49 = Internal Statics
    > 192.168.1.50-99 = VPN Clients
    > 192.168.1.100-254 = Internal DHCP Clients
    >
    > I was able to give the pool of 10.10.0.1 - 10.10.0.255 and get the thing
    > working. Was able to connect, authenticate, etc. I had a 10.10.0.1 IP on
    > the client and was able to communicate with it. But I want the VPN

    clients
    > to be on the same subnet as the internal clients.
    >
    > Any clarification on this would be GREATLY appreciated! I'm oso lost.
    >
    > Best regards,
    >
    > Nate
    >
    >
    Brian V, Oct 21, 2003
    #2
    1. Advertising

  3. Nate Smith

    Hugo Drax Guest

    "Brian V" <> wrote in message
    news:Kaclb.601034$Oz4.606397@rwcrnsc54...
    > they can't be. The vpn users must be on a seperate subnet than the

    internal
    > users. The pix won't allow it.
    >
    >


    no they dont, you just need to make sure you do not add the IP range used
    for PAT or nat in the vpn pool. as long as you add a section of the internal
    net unusued by internal hosts,nat or pat it would work. That is how I set my
    pix up. I have an internal 192.168.1.0 net and use 32 addresses in the last
    section of that range for the VPN pool.
    Hugo Drax, Oct 21, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Woon
    Replies:
    8
    Views:
    8,306
    NeverOutofTune
    Aug 28, 2007
  2. rpomerleau

    multiple global pools PIX 525

    rpomerleau, Jan 17, 2005, in forum: Cisco
    Replies:
    2
    Views:
    2,128
    rpomerleau
    Jan 18, 2005
  3. Matthew Melbourne
    Replies:
    2
    Views:
    7,298
    Matthew Melbourne
    Feb 12, 2005
  4. jamdatadude
    Replies:
    3
    Views:
    565
  5. Sam Wilson

    "secondary" PIX NAT/PAT pools

    Sam Wilson, Aug 10, 2007, in forum: Cisco
    Replies:
    5
    Views:
    448
    Lutz Donnerhacke
    Aug 10, 2007
Loading...

Share This Page