[VPN] Cisco VPN and Proxy ARP
David Goldsmith
dgoldsmith at sans.org
Tue May 6 15:30:11 EDT 2003
Just got off the phone with Cisco TAC. This is a known bug in the proxy
ARP code. It was discovered in the 3.6.7A firmware and is still a bug
in 4.0. The 4.1 firmware includes a fix and will be out shortly.
Dave
On Tue, 2003-05-06 at 11:57, David Goldsmith wrote:
> I have a working setup using a Cisco 3000 concentrator and Cisco VPN
> clients. Users who activate the the VPN Client can communicate with any
> 'internal' servers that the firewall allows. While clients are
> connected, the internal servers can also communicate with the VPN
> Clients tunneled IP address.
>
> What I am trying to do is to allow two VPN clients to talk directly to
> each other. I have configured a 'Tunnel Default Gateway' which points
> to the internal firewall connected to the same network segment as the
> internal private interface on the VPN concentrator.
>
> The VPN private network segment is 192.168.100.0/24. The internal
> firewall is 192.168.100.1 and the private VPN interface is
> 192.168.100.2. If Client A (192.168.100.128) pings Client B
> (192.168.100.140), I see ICMP echo requests that are sent from .128 to
> the .140 IP address but that use the firewall's MAC address as the
> destination MAC address.
>
> Is this method of communication (client-to-client) possible and if so,
> what configuration option(s) do I need to change?
>
> Thanks,
> David Goldsmith
>
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
More information about the VPN
mailing list