2 remote access VPNs, one unable to get traffic across

  • This may be a bit of a doozy, or maybe I'm just missing something obvious.

    Short preface: I asked our sales department to buy a pfsense box for a client.  Instead, they ordered a Cisco ASA 5505.  I've been beating my head against the ASA 5505 for 2 days now without being able to accomplish what I want.  I posted my problem on the Cisco forums, and there are a hundred views with no replies.  Well, needing to get these VPNs setup for this customer 2 days ago, I'm completely fed up with the Cisco.

    I scrapped together a Pfsense box this evening from an old P4 PC and 3 PCI NICs and I've setup a lab environment at my house.  If all tests well, I'm bringing the Pfsense box to the customer's in the morning to get them functional, then we'll order a decent piece of hardware to run it on.

    Here's the setup:
    WAN: connected to cable modem, gets address via DHCP


    OPT1:  (the subnet ranges from to – here's the tricky part (I think) - none of the hosts connected to this network have (and by order of the client cannot be assigned) a default gateway or static routes.  The host that I have to test to is, which does in fact ping from both the ASA I was trying to configure and from OPT1 interface of Pfsense in my lab environment.

    Ok, so I have one basic OpenVPN setup for user's on the internet to access the network. The VPN clients connecting here are issued in the range.  This one connects and works fine, as the gateway for the network is the pfsense box.

    I setup another OpenVPN server on a different port (1195 instead of 1194) and try to give it access to the subnet.  The OpenVPN client connects, but I cannot ping I have assigned on a PC connected to the same switch that the OPT1 interface is connected to.

    The only thing I can guess is that the PC at is receiving the ping request, but sees it coming from (the VPN pool issued when this VPN connects -- verified I am issued when I connect). The host has no default gateway and is not in it's subnet, so it doesn't know what to do with it.

    I'm guessing what I need to do is somehow NAT the traffic coming in on the WAN interface from via the address.  I can ping the address when I connect to this VPN (which is more than I could do with trying to setup the ASA).  However, I'm not sure how to set this up, or maybe I'm on the wrong track.

    I hope you guys have an answer, because Cisco doesn't and I'm trying to get the company I work for to get away from Cisco and start buying boxes for Pfsense.  If I can win this battle I think I'll be well on my way.

  • Update, I started wireshark on the host at, connected to the VPN and got issued  I started a continuous ping to  The host is hearing the ping requests but the replies are never getting back to my vpn client at

  • For what it's worth, we figured out a way to do it with the Cisco ASA 5505.  I was able to issue to the VPN users the IP addresses in the same subnet as the network.  Then I had to add some very strange looking acl's allowing to talk to  That seems very strange to me, but it works.

    I'd still really like to know how to make this work with Pfsense, so if anyone has any ideas, or has questions about my setup please chime in.


Log in to reply