[VPN] Cisco VPN and Proxy ARP

Chris Gripp cgripp at automotive.com
Thu May 8 19:24:12 EDT 2003

Couldn't you workaround by providing the 2 clients seperate IP networks and then having routes to those on a central router on your network?

The packet flow would be:



-----Original Message-----
From: David Goldsmith [mailto:dgoldsmith at sans.org]
Sent: Tuesday, May 06, 2003 12:30 PM
To: vpn at lists.shmoo.com
Subject: Re: [VPN] Cisco VPN and Proxy ARP

Just got off the phone with Cisco TAC.  This is a known bug in the proxy
ARP code.  It was discovered in the 3.6.7A firmware and is still a bug
in 4.0.  The 4.1 firmware includes a fix and will be out shortly.


On Tue, 2003-05-06 at 11:57, David Goldsmith wrote:
> I have a working setup using a Cisco 3000 concentrator and Cisco VPN
> clients.  Users who activate the the VPN Client can communicate with any
> 'internal' servers that the firewall allows.  While clients are
> connected, the internal servers can also communicate with the VPN
> Clients tunneled IP address.
> What I am trying to do is to allow two VPN clients to talk directly to
> each other.  I have configured a 'Tunnel Default Gateway' which points
> to the internal firewall connected to the same network segment as the
> internal private interface on the VPN concentrator.
> The VPN private network segment is  The internal
> firewall is and the private VPN interface is
>  If Client A ( pings Client B
> (, I see ICMP echo requests that are sent from .128 to
> the .140 IP address but that use the firewall's MAC address as the
> destination MAC address.
> Is this method of communication (client-to-client) possible and if so,
> what configuration option(s) do I need to change?
> Thanks,
> David Goldsmith
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

VPN mailing list
VPN at lists.shmoo.com

More information about the VPN mailing list