[VPN] Cisco VPN and Proxy ARP

David Goldsmith dgoldsmith at sans.org
Tue May 6 15:30:11 EDT 2003


Just got off the phone with Cisco TAC.  This is a known bug in the proxy
ARP code.  It was discovered in the 3.6.7A firmware and is still a bug
in 4.0.  The 4.1 firmware includes a fix and will be out shortly.

Dave

On Tue, 2003-05-06 at 11:57, David Goldsmith wrote:
> I have a working setup using a Cisco 3000 concentrator and Cisco VPN
> clients.  Users who activate the the VPN Client can communicate with any
> 'internal' servers that the firewall allows.  While clients are
> connected, the internal servers can also communicate with the VPN
> Clients tunneled IP address.
> 
> What I am trying to do is to allow two VPN clients to talk directly to
> each other.  I have configured a 'Tunnel Default Gateway' which points
> to the internal firewall connected to the same network segment as the
> internal private interface on the VPN concentrator.
> 
> The VPN private network segment is 192.168.100.0/24.  The internal
> firewall is 192.168.100.1 and the private VPN interface is
> 192.168.100.2.  If Client A (192.168.100.128) pings Client B
> (192.168.100.140), I see ICMP echo requests that are sent from .128 to
> the .140 IP address but that use the firewall's MAC address as the
> destination MAC address.
> 
> Is this method of communication (client-to-client) possible and if so,
> what configuration option(s) do I need to change?
> 
> Thanks,
> David Goldsmith
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn





More information about the VPN mailing list