Lose internet access when vpn enabled cisco 501

Hello
I have two vpn one at home and the other at my office. Both setup with
internet access. NAT enabled on both.
When I use the VPN wizard with the pdm gui to setup a end to end vpn
connection, I lose my access out the the internet. Tunnel works fine
though. If I kill the vpn, I get my internet back.
Can the pix 501 do both? If so any help on this?

cdoc

In article <izNzg.11848$>,
cdoc <> wrote:
>Hello
>I have two vpn one at home and the other at my office. Both setup with
>internet access. NAT enabled on both.
>When I use the VPN wizard with the pdm gui to setup a end to end vpn
>connection, I lose my access out the the internet. Tunnel works fine
>though. If I kill the vpn, I get my internet back.
>Can the pix 501 do both? If so any help on this?

Yes, the 501 has no problem with that.

Check to see how you have configured the VPN. If you have configured
it as a vpngroup then you need to configure 'split-tunnel'. If
you have configured it as a lan-to-lan VPN then it's just a matter
of ensuring that the access-list named in your crypto map match address
statement is restricted to only the addresses you want to go
through the VPN.

Walter Roberson

Thanks Walter
If I post my config here tomorrow will you give it a look?
Thanks

Walter Roberson wrote:
> In article <izNzg.11848$>,
> cdoc <> wrote:
>> Hello
>> I have two vpn one at home and the other at my office. Both setup with
>> internet access. NAT enabled on both.
>> When I use the VPN wizard with the pdm gui to setup a end to end vpn
>> connection, I lose my access out the the internet. Tunnel works fine
>> though. If I kill the vpn, I get my internet back.
>> Can the pix 501 do both? If so any help on this?
>
> Yes, the 501 has no problem with that.
>
> Check to see how you have configured the VPN. If you have configured
> it as a vpngroup then you need to configure 'split-tunnel'. If
> you have configured it as a lan-to-lan VPN then it's just a matter
> of ensuring that the access-list named in your crypto map match address
> statement is restricted to only the addresses you want to go
> through the VPN.

cdoc

In article <92Uzg.12431$>,
cdoc <> wrote:
>Thanks Walter
>If I post my config here tomorrow will you give it a look?

Yes, if I have time.

Walter Roberson

Walter
Here is my config. Can you give me some guidance on this. I really
appreciate the help.


> Building configuration...
> : Saved
> :
> PIX Version 6.3(5)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password TiYlTGGdqAj1P3O1 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname pixfirewall
> domain-name ciscopix.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> object-group service TS tcp
> description Terminal Services
> port-object range 3389 3389
> access-list outside_access_in remark Terminal Service
> access-list outside_access_in permit tcp any object-group TS any object-group TS
> access-list outside_access_in permit tcp any any
> access-list inside_outbound_nat0_acl permit ip any any
> access-list outside_cryptomap_20 permit ip any any
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> ip address outside pppoe setroute
> ip address inside 192.168.5.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> access-group outside_access_in in interface outside
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.5.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto map outside_map 20 ipsec-isakmp
> crypto map outside_map 20 match address outside_cryptomap_20
> crypto map outside_map 20 set peer 64.*.*.130
> crypto map outside_map 20 set transform-set ESP-3DES-MD5
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp key ******** address 64.*.*.130 netmask 255.255.255.255 no-xauth no-config-mode
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> vpdn group pppoe_group request dialout pppoe
> vpdn group pppoe_group localname
> vpdn group pppoe_group ppp authentication pap
> vpdn username ********@bellsouth.net password *********
> dhcpd address 192.168.5.101-192.168.5.130 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> dhcpd enable inside
> terminal width 80
> Cryptochecksum:dab3a0bc64544b17707687cb91714f44
> : end
> [OK]




Walter Roberson wrote:
> In article <92Uzg.12431$>,
> cdoc <> wrote:
>> Thanks Walter
>> If I post my config here tomorrow will you give it a look?
>
> Yes, if I have time.

cdoc

"cdoc" <> wrote in message
news:zb9Ag.27590$.. .
> Walter
> Here is my config. Can you give me some guidance on this. I really
> appreciate the help.
>
>
>> Building configuration...
>> : Saved
>> :
>> PIX Version 6.3(5)
>> interface ethernet0 auto
>> interface ethernet1 100full
>> nameif ethernet0 outside security0
>> nameif ethernet1 inside security100
>> enable password TiYlTGGdqAj1P3O1 encrypted
>> passwd 2KFQnbNIdI.2KYOU encrypted
>> hostname pixfirewall
>> domain-name ciscopix.com
>> fixup protocol dns maximum-length 512
>> fixup protocol ftp 21
>> fixup protocol h323 h225 1720
>> fixup protocol h323 ras 1718-1719
>> fixup protocol http 80
>> fixup protocol rsh 514
>> fixup protocol rtsp 554
>> fixup protocol sip 5060
>> fixup protocol sip udp 5060
>> fixup protocol skinny 2000
>> fixup protocol smtp 25
>> fixup protocol sqlnet 1521
>> fixup protocol tftp 69
>> names
>> object-group service TS tcp description Terminal Services
>> port-object range 3389 3389 access-list outside_access_in remark
>> Terminal Service
>> access-list outside_access_in permit tcp any object-group TS any
>> object-group TS access-list outside_access_in permit tcp any any
>> access-list inside_outbound_nat0_acl permit ip any any access-list
>> outside_cryptomap_20 permit ip any any pager lines 24
>> mtu outside 1500
>> mtu inside 1500
>> ip address outside pppoe setroute
>> ip address inside 192.168.5.1 255.255.255.0
>> ip audit info action alarm
>> ip audit attack action alarm
>> pdm logging informational 100
>> pdm history enable
>> arp timeout 14400
>> global (outside) 1 interface
>> nat (inside) 0 access-list inside_outbound_nat0_acl
>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>> access-group outside_access_in in interface outside
>> timeout xlate 0:05:00
>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
>> 1:00:00
>> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
>> timeout uauth 0:05:00 absolute
>> aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+
>> max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS
>> protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS
>> deadtime 10 aaa-server LOCAL protocol local http server enable
>> http 192.168.5.0 255.255.255.0 inside
>> no snmp-server location
>> no snmp-server contact
>> snmp-server community public
>> no snmp-server enable traps
>> floodguard enable
>> sysopt connection permit-ipsec
>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map
>> outside_map 20 ipsec-isakmp
>> crypto map outside_map 20 match address outside_cryptomap_20
>> crypto map outside_map 20 set peer 64.*.*.130
>> crypto map outside_map 20 set transform-set ESP-3DES-MD5
>> crypto map outside_map interface outside
>> isakmp enable outside
>> isakmp key ******** address 64.*.*.130 netmask 255.255.255.255 no-xauth
>> no-config-mode isakmp policy 20 authentication pre-share
>> isakmp policy 20 encryption 3des
>> isakmp policy 20 hash md5
>> isakmp policy 20 group 2
>> isakmp policy 20 lifetime 86400
>> telnet timeout 5
>> ssh timeout 5
>> console timeout 0
>> vpdn group pppoe_group request dialout pppoe
>> vpdn group pppoe_group localname
>> vpdn group pppoe_group ppp authentication pap
>> vpdn username ********@bellsouth.net password ********* dhcpd address
>> 192.168.5.101-192.168.5.130 inside
>> dhcpd lease 3600
>> dhcpd ping_timeout 750
>> dhcpd auto_config outside
>> dhcpd enable inside
>> terminal width 80
>> Cryptochecksum:dab3a0bc64544b17707687cb91714f44
>> : end
>> [OK]
>
>
>
>
> Walter Roberson wrote:
>> In article <92Uzg.12431$>,
>> cdoc <> wrote:
>>> Thanks Walter
>>> If I post my config here tomorrow will you give it a look?
>>
>> Yes, if I have time.



access-list inside_outbound_nat0_acl permit ip any any
access-list outside_cryptomap_20 permit ip any any

Both of these lines are bad. The first line is telling it not to NAT
anything. This alone breaks your internet connection. It should be
specifying source and destination networks of the VPN tunnel.

Second line is essentialy telling it to send everything in to the VPN
tunnel. Like above it should only have your source and destination networks
in there.

99.999% of the time these 2 lists should be identical when only using 1
tunnel. When using more than 1 tunnel the Nat0 list should be equal to all
all the crypto match lists.

Another thing you have in your config which is a huge security risk in the
permit tcp any any statement on your outside ACL. Where you do not have any
statics, there is really no need for the outside ACL.

-Brian

Brian V

Thanks Brian
If my lan subnet on this side is 192.168.5.0 and the remote lan is
192.168.100.0 what should the syntax on these two entries be?
Thanks again for your help.

Brian V wrote:
> "cdoc" <> wrote in message
> news:zb9Ag.27590$.. .
>> Walter
>> Here is my config. Can you give me some guidance on this. I really
>> appreciate the help.
>>
>>
>>> Building configuration...
>>> : Saved
>>> :
>>> PIX Version 6.3(5)
>>> interface ethernet0 auto
>>> interface ethernet1 100full
>>> nameif ethernet0 outside security0
>>> nameif ethernet1 inside security100
>>> enable password TiYlTGGdqAj1P3O1 encrypted
>>> passwd 2KFQnbNIdI.2KYOU encrypted
>>> hostname pixfirewall
>>> domain-name ciscopix.com
>>> fixup protocol dns maximum-length 512
>>> fixup protocol ftp 21
>>> fixup protocol h323 h225 1720
>>> fixup protocol h323 ras 1718-1719
>>> fixup protocol http 80
>>> fixup protocol rsh 514
>>> fixup protocol rtsp 554
>>> fixup protocol sip 5060
>>> fixup protocol sip udp 5060
>>> fixup protocol skinny 2000
>>> fixup protocol smtp 25
>>> fixup protocol sqlnet 1521
>>> fixup protocol tftp 69
>>> names
>>> object-group service TS tcp description Terminal Services
>>> port-object range 3389 3389 access-list outside_access_in remark
>>> Terminal Service
>>> access-list outside_access_in permit tcp any object-group TS any
>>> object-group TS access-list outside_access_in permit tcp any any
>>> access-list inside_outbound_nat0_acl permit ip any any access-list
>>> outside_cryptomap_20 permit ip any any pager lines 24
>>> mtu outside 1500
>>> mtu inside 1500
>>> ip address outside pppoe setroute
>>> ip address inside 192.168.5.1 255.255.255.0
>>> ip audit info action alarm
>>> ip audit attack action alarm
>>> pdm logging informational 100
>>> pdm history enable
>>> arp timeout 14400
>>> global (outside) 1 interface
>>> nat (inside) 0 access-list inside_outbound_nat0_acl
>>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>>> access-group outside_access_in in interface outside
>>> timeout xlate 0:05:00
>>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
>>> 1:00:00
>>> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>>> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
>>> timeout uauth 0:05:00 absolute
>>> aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+
>>> max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS
>>> protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS
>>> deadtime 10 aaa-server LOCAL protocol local http server enable
>>> http 192.168.5.0 255.255.255.0 inside
>>> no snmp-server location
>>> no snmp-server contact
>>> snmp-server community public
>>> no snmp-server enable traps
>>> floodguard enable
>>> sysopt connection permit-ipsec
>>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map
>>> outside_map 20 ipsec-isakmp
>>> crypto map outside_map 20 match address outside_cryptomap_20
>>> crypto map outside_map 20 set peer 64.*.*.130
>>> crypto map outside_map 20 set transform-set ESP-3DES-MD5
>>> crypto map outside_map interface outside
>>> isakmp enable outside
>>> isakmp key ******** address 64.*.*.130 netmask 255.255.255.255 no-xauth
>>> no-config-mode isakmp policy 20 authentication pre-share
>>> isakmp policy 20 encryption 3des
>>> isakmp policy 20 hash md5
>>> isakmp policy 20 group 2
>>> isakmp policy 20 lifetime 86400
>>> telnet timeout 5
>>> ssh timeout 5
>>> console timeout 0
>>> vpdn group pppoe_group request dialout pppoe
>>> vpdn group pppoe_group localname
>>> vpdn group pppoe_group ppp authentication pap
>>> vpdn username ********@bellsouth.net password ********* dhcpd address
>>> 192.168.5.101-192.168.5.130 inside
>>> dhcpd lease 3600
>>> dhcpd ping_timeout 750
>>> dhcpd auto_config outside
>>> dhcpd enable inside
>>> terminal width 80
>>> Cryptochecksum:dab3a0bc64544b17707687cb91714f44
>>> : end
>>> [OK]
>>
>>
>>
>> Walter Roberson wrote:
>>> In article <92Uzg.12431$>,
>>> cdoc <> wrote:
>>>> Thanks Walter
>>>> If I post my config here tomorrow will you give it a look?
>>> Yes, if I have time.
>
>
>
> access-list inside_outbound_nat0_acl permit ip any any
> access-list outside_cryptomap_20 permit ip any any
>
> Both of these lines are bad. The first line is telling it not to NAT
> anything. This alone breaks your internet connection. It should be
> specifying source and destination networks of the VPN tunnel.
>
> Second line is essentialy telling it to send everything in to the VPN
> tunnel. Like above it should only have your source and destination networks
> in there.
>
> 99.999% of the time these 2 lists should be identical when only using 1
> tunnel. When using more than 1 tunnel the Nat0 list should be equal to all
> all the crypto match lists.
>
> Another thing you have in your config which is a huge security risk in the
> permit tcp any any statement on your outside ACL. Where you do not have any
> statics, there is really no need for the outside ACL.
>
> -Brian
>
>

cdoc

PS
I indeed only have one vpn connection.

cdoc wrote:
> Thanks Brian
> If my lan subnet on this side is 192.168.5.0 and the remote lan is
> 192.168.100.0 what should the syntax on these two entries be?
> Thanks again for your help.
>
> Brian V wrote:
>> "cdoc" <> wrote in message
>> news:zb9Ag.27590$.. .
>>> Walter
>>> Here is my config. Can you give me some guidance on this. I really
>>> appreciate the help.
>>>
>>>
>>>> Building configuration...
>>>> : Saved
>>>> :
>>>> PIX Version 6.3(5)
>>>> interface ethernet0 auto
>>>> interface ethernet1 100full
>>>> nameif ethernet0 outside security0
>>>> nameif ethernet1 inside security100
>>>> enable password TiYlTGGdqAj1P3O1 encrypted
>>>> passwd 2KFQnbNIdI.2KYOU encrypted
>>>> hostname pixfirewall
>>>> domain-name ciscopix.com
>>>> fixup protocol dns maximum-length 512
>>>> fixup protocol ftp 21
>>>> fixup protocol h323 h225 1720
>>>> fixup protocol h323 ras 1718-1719
>>>> fixup protocol http 80
>>>> fixup protocol rsh 514
>>>> fixup protocol rtsp 554
>>>> fixup protocol sip 5060
>>>> fixup protocol sip udp 5060
>>>> fixup protocol skinny 2000
>>>> fixup protocol smtp 25
>>>> fixup protocol sqlnet 1521
>>>> fixup protocol tftp 69
>>>> names
>>>> object-group service TS tcp description Terminal Services
>>>> port-object range 3389 3389 access-list outside_access_in remark
>>>> Terminal Service
>>>> access-list outside_access_in permit tcp any object-group TS any
>>>> object-group TS access-list outside_access_in permit tcp any any
>>>> access-list inside_outbound_nat0_acl permit ip any any access-list
>>>> outside_cryptomap_20 permit ip any any pager lines 24
>>>> mtu outside 1500
>>>> mtu inside 1500
>>>> ip address outside pppoe setroute
>>>> ip address inside 192.168.5.1 255.255.255.0
>>>> ip audit info action alarm
>>>> ip audit attack action alarm
>>>> pdm logging informational 100
>>>> pdm history enable
>>>> arp timeout 14400
>>>> global (outside) 1 interface
>>>> nat (inside) 0 access-list inside_outbound_nat0_acl
>>>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>>>> access-group outside_access_in in interface outside
>>>> timeout xlate 0:05:00
>>>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
>>>> h225 1:00:00
>>>> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>>>> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
>>>> timeout uauth 0:05:00 absolute
>>>> aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+
>>>> max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server
>>>> RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3
>>>> aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http
>>>> server enable
>>>> http 192.168.5.0 255.255.255.0 inside
>>>> no snmp-server location
>>>> no snmp-server contact
>>>> snmp-server community public
>>>> no snmp-server enable traps
>>>> floodguard enable
>>>> sysopt connection permit-ipsec
>>>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto
>>>> map outside_map 20 ipsec-isakmp
>>>> crypto map outside_map 20 match address outside_cryptomap_20
>>>> crypto map outside_map 20 set peer 64.*.*.130
>>>> crypto map outside_map 20 set transform-set ESP-3DES-MD5
>>>> crypto map outside_map interface outside
>>>> isakmp enable outside
>>>> isakmp key ******** address 64.*.*.130 netmask 255.255.255.255
>>>> no-xauth no-config-mode isakmp policy 20 authentication pre-share
>>>> isakmp policy 20 encryption 3des
>>>> isakmp policy 20 hash md5
>>>> isakmp policy 20 group 2
>>>> isakmp policy 20 lifetime 86400
>>>> telnet timeout 5
>>>> ssh timeout 5
>>>> console timeout 0
>>>> vpdn group pppoe_group request dialout pppoe
>>>> vpdn group pppoe_group localname
>>>> vpdn group pppoe_group ppp authentication pap
>>>> vpdn username ********@bellsouth.net password ********* dhcpd
>>>> address 192.168.5.101-192.168.5.130 inside
>>>> dhcpd lease 3600
>>>> dhcpd ping_timeout 750
>>>> dhcpd auto_config outside
>>>> dhcpd enable inside
>>>> terminal width 80
>>>> Cryptochecksum:dab3a0bc64544b17707687cb91714f44
>>>> : end
>>>> [OK]
>>>
>>>
>>>
>>> Walter Roberson wrote:
>>>> In article <92Uzg.12431$>,
>>>> cdoc <> wrote:
>>>>> Thanks Walter
>>>>> If I post my config here tomorrow will you give it a look?
>>>> Yes, if I have time.
>>
>>
>>
>> access-list inside_outbound_nat0_acl permit ip any any
>> access-list outside_cryptomap_20 permit ip any any
>>
>> Both of these lines are bad. The first line is telling it not to NAT
>> anything. This alone breaks your internet connection. It should be
>> specifying source and destination networks of the VPN tunnel.
>>
>> Second line is essentialy telling it to send everything in to the VPN
>> tunnel. Like above it should only have your source and destination
>> networks in there.
>>
>> 99.999% of the time these 2 lists should be identical when only using
>> 1 tunnel. When using more than 1 tunnel the Nat0 list should be equal
>> to all all the crypto match lists.
>>
>> Another thing you have in your config which is a huge security risk in
>> the permit tcp any any statement on your outside ACL. Where you do not
>> have any statics, there is really no need for the outside ACL.
>>
>> -Brian
>>

cdoc

Should it be

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
192.168.5.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
192.168.5.0 255.255.255.0




cdoc wrote:
> PS
> I indeed only have one vpn connection.
>
> cdoc wrote:
>> Thanks Brian
>> If my lan subnet on this side is 192.168.5.0 and the remote lan is
>> 192.168.100.0 what should the syntax on these two entries be?
>> Thanks again for your help.
>>
>> Brian V wrote:
>>> "cdoc" <> wrote in message
>>> news:zb9Ag.27590$.. .
>>>> Walter
>>>> Here is my config. Can you give me some guidance on this. I really
>>>> appreciate the help.
>>>>
>>>>
>>>>> Building configuration...
>>>>> : Saved
>>>>> :
>>>>> PIX Version 6.3(5)
>>>>> interface ethernet0 auto
>>>>> interface ethernet1 100full
>>>>> nameif ethernet0 outside security0
>>>>> nameif ethernet1 inside security100
>>>>> enable password TiYlTGGdqAj1P3O1 encrypted
>>>>> passwd 2KFQnbNIdI.2KYOU encrypted
>>>>> hostname pixfirewall
>>>>> domain-name ciscopix.com
>>>>> fixup protocol dns maximum-length 512
>>>>> fixup protocol ftp 21
>>>>> fixup protocol h323 h225 1720
>>>>> fixup protocol h323 ras 1718-1719
>>>>> fixup protocol http 80
>>>>> fixup protocol rsh 514
>>>>> fixup protocol rtsp 554
>>>>> fixup protocol sip 5060
>>>>> fixup protocol sip udp 5060
>>>>> fixup protocol skinny 2000
>>>>> fixup protocol smtp 25
>>>>> fixup protocol sqlnet 1521
>>>>> fixup protocol tftp 69
>>>>> names
>>>>> object-group service TS tcp description Terminal Services
>>>>> port-object range 3389 3389 access-list outside_access_in remark
>>>>> Terminal Service
>>>>> access-list outside_access_in permit tcp any object-group TS any
>>>>> object-group TS access-list outside_access_in permit tcp any any
>>>>> access-list inside_outbound_nat0_acl permit ip any any access-list
>>>>> outside_cryptomap_20 permit ip any any pager lines 24
>>>>> mtu outside 1500
>>>>> mtu inside 1500
>>>>> ip address outside pppoe setroute
>>>>> ip address inside 192.168.5.1 255.255.255.0
>>>>> ip audit info action alarm
>>>>> ip audit attack action alarm
>>>>> pdm logging informational 100
>>>>> pdm history enable
>>>>> arp timeout 14400
>>>>> global (outside) 1 interface
>>>>> nat (inside) 0 access-list inside_outbound_nat0_acl
>>>>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>>>>> access-group outside_access_in in interface outside
>>>>> timeout xlate 0:05:00
>>>>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
>>>>> h225 1:00:00
>>>>> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>>>>> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
>>>>> timeout uauth 0:05:00 absolute
>>>>> aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+
>>>>> max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server
>>>>> RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3
>>>>> aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http
>>>>> server enable
>>>>> http 192.168.5.0 255.255.255.0 inside
>>>>> no snmp-server location
>>>>> no snmp-server contact
>>>>> snmp-server community public
>>>>> no snmp-server enable traps
>>>>> floodguard enable
>>>>> sysopt connection permit-ipsec
>>>>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>>>>> crypto map outside_map 20 ipsec-isakmp
>>>>> crypto map outside_map 20 match address outside_cryptomap_20
>>>>> crypto map outside_map 20 set peer 64.*.*.130
>>>>> crypto map outside_map 20 set transform-set ESP-3DES-MD5
>>>>> crypto map outside_map interface outside
>>>>> isakmp enable outside
>>>>> isakmp key ******** address 64.*.*.130 netmask 255.255.255.255
>>>>> no-xauth no-config-mode isakmp policy 20 authentication pre-share
>>>>> isakmp policy 20 encryption 3des
>>>>> isakmp policy 20 hash md5
>>>>> isakmp policy 20 group 2
>>>>> isakmp policy 20 lifetime 86400
>>>>> telnet timeout 5
>>>>> ssh timeout 5
>>>>> console timeout 0
>>>>> vpdn group pppoe_group request dialout pppoe
>>>>> vpdn group pppoe_group localname
>>>>> vpdn group pppoe_group ppp authentication pap
>>>>> vpdn username ********@bellsouth.net password ********* dhcpd
>>>>> address 192.168.5.101-192.168.5.130 inside
>>>>> dhcpd lease 3600
>>>>> dhcpd ping_timeout 750
>>>>> dhcpd auto_config outside
>>>>> dhcpd enable inside
>>>>> terminal width 80
>>>>> Cryptochecksum:dab3a0bc64544b17707687cb91714f44
>>>>> : end
>>>>> [OK]
>>>>
>>>>
>>>>
>>>> Walter Roberson wrote:
>>>>> In article <92Uzg.12431$>,
>>>>> cdoc <> wrote:
>>>>>> Thanks Walter
>>>>>> If I post my config here tomorrow will you give it a look?
>>>>> Yes, if I have time.
>>>
>>>
>>>
>>> access-list inside_outbound_nat0_acl permit ip any any
>>> access-list outside_cryptomap_20 permit ip any any
>>>
>>> Both of these lines are bad. The first line is telling it not to NAT
>>> anything. This alone breaks your internet connection. It should be
>>> specifying source and destination networks of the VPN tunnel.
>>>
>>> Second line is essentialy telling it to send everything in to the VPN
>>> tunnel. Like above it should only have your source and destination
>>> networks in there.
>>>
>>> 99.999% of the time these 2 lists should be identical when only using
>>> 1 tunnel. When using more than 1 tunnel the Nat0 list should be equal
>>> to all all the crypto match lists.
>>>
>>> Another thing you have in your config which is a huge security risk
>>> in the permit tcp any any statement on your outside ACL. Where you do
>>> not have any statics, there is really no need for the outside ACL.
>>>
>>> -Brian
>>>

cdoc

"cdoc" <> wrote in message
news:HmcAg.19106$.. .
> Should it be
>
> access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
> 192.168.5.0 255.255.255.0
> access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
> 192.168.5.0 255.255.255.0
>
>
>
>
> cdoc wrote:
>> PS
>> I indeed only have one vpn connection.
>>
>> cdoc wrote:
>>> Thanks Brian
>>> If my lan subnet on this side is 192.168.5.0 and the remote lan is
>>> 192.168.100.0 what should the syntax on these two entries be?
>>> Thanks again for your help.
>>>
<snip>

If internal is 192.168.5.X and the remote is 192.168.1.X use:
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
192.168.1.0 255.255.255.0

If internal is 192.168.5.X and the remote is 192.168.100.X use:
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
192.168.100.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
192.168.100.0 255.255.255.0

Brian V