[VPN] Cisco VPN and Proxy ARP

David Goldsmith dgoldsmith at sans.org
Tue May 6 11:57:41 EDT 2003


I have a working setup using a Cisco 3000 concentrator and Cisco VPN
clients.  Users who activate the the VPN Client can communicate with any
'internal' servers that the firewall allows.  While clients are
connected, the internal servers can also communicate with the VPN
Clients tunneled IP address.

What I am trying to do is to allow two VPN clients to talk directly to
each other.  I have configured a 'Tunnel Default Gateway' which points
to the internal firewall connected to the same network segment as the
internal private interface on the VPN concentrator.

The VPN private network segment is 192.168.100.0/24.  The internal
firewall is 192.168.100.1 and the private VPN interface is
192.168.100.2.  If Client A (192.168.100.128) pings Client B
(192.168.100.140), I see ICMP echo requests that are sent from .128 to
the .140 IP address but that use the firewall's MAC address as the
destination MAC address.

Is this method of communication (client-to-client) possible and if so,
what configuration option(s) do I need to change?

Thanks,
David Goldsmith





More information about the VPN mailing list