subnet mask error for VPN Ip assignment on PIX

[praks25]

hi,
just need a little guidance on how to set the right subnet mask for IP's being assigned by the PIX vpn device.
the following IP's have been configured for vpn assignment
10.90.10.111-10.90.10.120.
IP's in the 10.90.10.0-255 (excluding 111-120) range with a subnet mask of 255.255.255.0 are in use on the internal network but whenever the pix assigns the above IP's (111-120) it assigns a subnet mask of 255.255.255.255. as a result everybody assigned vpn access can authenticate in but cannot work on the internal network.
here is a copy of the PIX config.
any help would be appreciated

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out permit icmp any any
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any host XXX.XX.93.154 eq pptp log
access-list acl_in permit icmp any any
access-list acl_in permit ip 10.90.10.0 255.255.255.0 any
pager lines 24
logging on
logging console debugging
logging buffered errors
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside XXX.20.XX.154 255.255.255.0
ip address inside 10.90.10.253 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
ip local pool 2 10.90.10.111-10.90.10.120
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 10.90.10.0 255.255.255.0 inside
pdm location XXX.XX.93.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 XXX.XX.93.47-XXX.XX.93.65 netmask 255.255.255.0
global (outside) 1 XXX.XX.93.56 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XX.93.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http XXX.XX.93.0 255.255.255.0 outside
http 10.90.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-pptp
telnet 10.90.10.0 255.255.255.0 inside
telnet timeout 60
ssh XXX.XX.93.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local 2
vpdn group 1 client configuration dns XXX.XX.93.150 XXX.20.93.155
vpdn group 1 client configuration wins XXX.XX.93.150
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username johndoe password **********
vpdn enable outside
privilege 15
terminal width 80
: end

 

[dx1]

Why don't you use a different subnet for your address pool?

 

[themut]

DX1 is right! You should not use addresses from a subnet that is already in use, it confuses the firewall. Try using addresses from an unassigned subnet.

 

[praks25]

hi DX1 and themut,
i changed to a different subnet range for the vpn assignments but i still can't access the servers and workstations inside.
the pix internal interface has the ip 10.90.10.253. when posting the question initially here, i had vpn set to assign in the range 10.90.10.111-10.90.10.120.
I now changed the vpn assignment range to 10.90.100.1-10.90.100.252.
I am assigned a 10.90.100.0 network IP but i can't access any machine inside.
I set access list for the new assignment
access-list acl_in permit ip 10.90.10.0 255.255.255.0 10.90.100.0 255.255.255.0
and I also set to nat inside
nat (inside) 0 access-list acl_in

is there anything else i am missing in the configuration?
thankyou

 

[dx1]

Remove the access-list acl_in from your inside interface.

 

[bwilliam13]

Create an access list specifically for the VPN clients. Example:

access-list 101 permit ip 10.90.100.0 255.255.255.0 10.90.10.0 255.255.255.0
access-list 101 permit icmp 10.90.100.0 255.255.255.0 10.90.10.0 255.255.255.0

Then, tell the PIX not to NAT those rules in that access list:

nat (inside) 0 access-list 101

You'll also need a rule in your acl_in to let VPN clients make connections to machines on the inside interface:

access-list acl_in permit ip 10.90.100.0 255.255.255.0 10.90.10.0 255.255.255.0


You may need a route statement to tell your VPN clients where to go to reach the inside clients (optional):

route inside 10.90.10.0 255.255.255.0 <yourdefaultrouterhere> <--but this is only if you have some sort of layer-3 switch on your PIX's internal interface that isn't running some sort of dynamic routing like OSPF

Try that and see what happens.

 

[themut]

Are you able to establish the tunnel? If you do a &quot;show crypto isakmp sa&quot; what do you get?

 

[bwilliam13]

He's using PPTP.

 

[praks25]

hey themut and dx1,
thanx for the info, it works well. i can VPN in and everything works well.
Thanx once again.

I set the access list as u suggested but the other way around
access-list acl_in permit ip 10.90.10.0 255.255.255.0 10.90.100.0 255.255.255.0

just out of curiosity, does it make a difference if 10.90.100.0 comes before 10.90.10.0 in the above access-list statement.
I also set the nat statement inside to bypass nat
nat (inside) 0 access-list acl_in.

also another question

I have another server on the internal network that i want to static nat (on port 443 -- https)to an available public IP on our network.
since i am only running 2 interfaces on the PIX namely the inside and outside, can I static nat another public IP on the existing outside interface to the internal IP of the web server?

anyway thanx for the info. it really helped.

 

[dx1]

>I have another server on the internal network that i want to static nat (on port 443 -- https)to an available public IP on our network.
since i am only running 2 interfaces on the PIX namely the inside and outside, can I static nat another public IP on the existing outside interface to the internal IP of the web server?

Yes, as long as you have an available external IP to nat it to. It doesn't matter how many physical interface you have.