Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 506e - remote-access vpn, split tunnel, client has no internet access.

Reply
Thread Tools

Cisco 506e - remote-access vpn, split tunnel, client has no internet access.

 
 
Rohan
Guest
Posts: n/a
 
      11-28-2006
I have searched this group and the internet but cannot seem to see
anything wrong with my configuration (given below), yet clients
connecting to the pix cannot go out to the internet.

The clients are using the Cisco VPN client 4.8.01.0300, the connection
is using "Enable transparent tunneling" - IPSec over UDP; also allowing
local LAN access.

I am new to the whole pix, Cisco world - all of this configuration was
done using the PDM - when I finally enabled split-tunneling the PDM
told me that it had encountered a firewall config. command that it does
not support - apparently it does not support multiple uses of an ACL -
the ACL in question being "outside_cryptomap_dyn_20" which is being
applied to both the outside interface for IPSec traffic selection and
to the VPN client group for split tunneling.

I would really appreciate it if someone could go over my configuration
and let me know what I am doing wrong.

Result of firewall command: "show running-config"

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0
255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside <my_outside_address> <my_subnet_mask>
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool BSIP 192.168.1.100-192.168.1.200

arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 <my_outside_address> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup <my_group> address-pool BSIP
vpngroup <my_group> dns-server 192.168.1.10 192.168.1.13
vpngroup <my_group> default-domain <my_domain>
vpngroup <my_group> split-tunnel outside_cryptomap_dyn_20
vpngroup <my_group> idle-time 1800
vpngroup <my_group> password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
: end

Thank you,

Rohan

 
Reply With Quote
 
 
 
 
tweety
Guest
Posts: n/a
 
      11-29-2006
Hi this is way out my league,
recently however configuring a cisco 2621xm i had to do a nonat route
map

i deny the internal traffic to remote lan and then permit the internal
traffic ip any any
probably of no help but maybe others will suggest the right solution

hope you solve it soon friend

Rohan wrote:

> I have searched this group and the internet but cannot seem to see
> anything wrong with my configuration (given below), yet clients
> connecting to the pix cannot go out to the internet.
>
> The clients are using the Cisco VPN client 4.8.01.0300, the connection
> is using "Enable transparent tunneling" - IPSec over UDP; also allowing
> local LAN access.
>
> I am new to the whole pix, Cisco world - all of this configuration was
> done using the PDM - when I finally enabled split-tunneling the PDM
> told me that it had encountered a firewall config. command that it does
> not support - apparently it does not support multiple uses of an ACL -
> the ACL in question being "outside_cryptomap_dyn_20" which is being
> applied to both the outside interface for IPSec traffic selection and
> to the VPN client group for split tunneling.
>
> I would really appreciate it if someone could go over my configuration
> and let me know what I am doing wrong.
>
> Result of firewall command: "show running-config"
>
> : Saved
> :
> PIX Version 6.3(5)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
>
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list inside_outbound_nat0_acl permit ip any 192.168.1.0
> 255.255.255.0
> access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.0
> 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> ip address outside <my_outside_address> <my_subnet_mask>
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool BSIP 192.168.1.100-192.168.1.200
>
> arp timeout 14400
> global (outside) 10 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 10 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 <my_outside_address> 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 match address
> outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> vpngroup <my_group> address-pool BSIP
> vpngroup <my_group> dns-server 192.168.1.10 192.168.1.13
> vpngroup <my_group> default-domain <my_domain>
> vpngroup <my_group> split-tunnel outside_cryptomap_dyn_20
> vpngroup <my_group> idle-time 1800
> vpngroup <my_group> password ********
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> dhcpd address 192.168.1.2-192.168.1.254 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> terminal width 80
> : end
>
> Thank you,
>
> Rohan


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
No Internet Access Cisco Pix 506e robert@unetix.net Cisco 0 07-09-2011 07:27 PM
Cisco VPN Client issues with PIX 506e chrismtoth@gmail.com Cisco 9 10-07-2006 10:19 PM
Cisco VPN Client 4.04 Rel to a PIX 506E connects, but no traffic GlenMorgan Cisco 13 02-22-2005 07:11 PM
Cisco PIX 506E and Internet based e-mail Tom Porter Cisco 3 04-18-2004 10:10 PM
VOIP using Cisco PIX 506e and Cisco 837 paul tomlinson Cisco 1 01-21-2004 11:09 PM



Advertisments