Lose internet access when vpn enabled cisco 501

Discussion in 'Cisco' started by cdoc, Aug 1, 2006.

  1. cdoc

    cdoc Guest

    Hello
    I have two vpn one at home and the other at my office. Both setup with
    internet access. NAT enabled on both.
    When I use the VPN wizard with the pdm gui to setup a end to end vpn
    connection, I lose my access out the the internet. Tunnel works fine
    though. If I kill the vpn, I get my internet back.
    Can the pix 501 do both? If so any help on this?
     
    cdoc, Aug 1, 2006
    #1
    1. Advertising

  2. In article <izNzg.11848$>,
    cdoc <> wrote:
    >Hello
    >I have two vpn one at home and the other at my office. Both setup with
    >internet access. NAT enabled on both.
    >When I use the VPN wizard with the pdm gui to setup a end to end vpn
    >connection, I lose my access out the the internet. Tunnel works fine
    >though. If I kill the vpn, I get my internet back.
    >Can the pix 501 do both? If so any help on this?


    Yes, the 501 has no problem with that.

    Check to see how you have configured the VPN. If you have configured
    it as a vpngroup then you need to configure 'split-tunnel'. If
    you have configured it as a lan-to-lan VPN then it's just a matter
    of ensuring that the access-list named in your crypto map match address
    statement is restricted to only the addresses you want to go
    through the VPN.
     
    Walter Roberson, Aug 1, 2006
    #2
    1. Advertising

  3. cdoc

    cdoc Guest

    Thanks Walter
    If I post my config here tomorrow will you give it a look?
    Thanks

    Walter Roberson wrote:
    > In article <izNzg.11848$>,
    > cdoc <> wrote:
    >> Hello
    >> I have two vpn one at home and the other at my office. Both setup with
    >> internet access. NAT enabled on both.
    >> When I use the VPN wizard with the pdm gui to setup a end to end vpn
    >> connection, I lose my access out the the internet. Tunnel works fine
    >> though. If I kill the vpn, I get my internet back.
    >> Can the pix 501 do both? If so any help on this?

    >
    > Yes, the 501 has no problem with that.
    >
    > Check to see how you have configured the VPN. If you have configured
    > it as a vpngroup then you need to configure 'split-tunnel'. If
    > you have configured it as a lan-to-lan VPN then it's just a matter
    > of ensuring that the access-list named in your crypto map match address
    > statement is restricted to only the addresses you want to go
    > through the VPN.
     
    cdoc, Aug 2, 2006
    #3
  4. In article <92Uzg.12431$>,
    cdoc <> wrote:
    >Thanks Walter
    >If I post my config here tomorrow will you give it a look?


    Yes, if I have time.
     
    Walter Roberson, Aug 2, 2006
    #4
  5. cdoc

    cdoc Guest

    Walter
    Here is my config. Can you give me some guidance on this. I really
    appreciate the help.


    > Building configuration...
    > : Saved
    > :
    > PIX Version 6.3(5)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password TiYlTGGdqAj1P3O1 encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname pixfirewall
    > domain-name ciscopix.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > object-group service TS tcp
    > description Terminal Services
    > port-object range 3389 3389
    > access-list outside_access_in remark Terminal Service
    > access-list outside_access_in permit tcp any object-group TS any object-group TS
    > access-list outside_access_in permit tcp any any
    > access-list inside_outbound_nat0_acl permit ip any any
    > access-list outside_cryptomap_20 permit ip any any
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside pppoe setroute
    > ip address inside 192.168.5.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-group outside_access_in in interface outside
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.5.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address outside_cryptomap_20
    > crypto map outside_map 20 set peer 64.*.*.130
    > crypto map outside_map 20 set transform-set ESP-3DES-MD5
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address 64.*.*.130 netmask 255.255.255.255 no-xauth no-config-mode
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > vpdn group pppoe_group request dialout pppoe
    > vpdn group pppoe_group localname
    > vpdn group pppoe_group ppp authentication pap
    > vpdn username ********@bellsouth.net password *********
    > dhcpd address 192.168.5.101-192.168.5.130 inside
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > Cryptochecksum:dab3a0bc64544b17707687cb91714f44
    > : end
    > [OK]





    Walter Roberson wrote:
    > In article <92Uzg.12431$>,
    > cdoc <> wrote:
    >> Thanks Walter
    >> If I post my config here tomorrow will you give it a look?

    >
    > Yes, if I have time.
     
    cdoc, Aug 2, 2006
    #5
  6. cdoc

    Brian V Guest

    "cdoc" <> wrote in message
    news:zb9Ag.27590$...
    > Walter
    > Here is my config. Can you give me some guidance on this. I really
    > appreciate the help.
    >
    >
    >> Building configuration...
    >> : Saved
    >> :
    >> PIX Version 6.3(5)
    >> interface ethernet0 auto
    >> interface ethernet1 100full
    >> nameif ethernet0 outside security0
    >> nameif ethernet1 inside security100
    >> enable password TiYlTGGdqAj1P3O1 encrypted
    >> passwd 2KFQnbNIdI.2KYOU encrypted
    >> hostname pixfirewall
    >> domain-name ciscopix.com
    >> fixup protocol dns maximum-length 512
    >> fixup protocol ftp 21
    >> fixup protocol h323 h225 1720
    >> fixup protocol h323 ras 1718-1719
    >> fixup protocol http 80
    >> fixup protocol rsh 514
    >> fixup protocol rtsp 554
    >> fixup protocol sip 5060
    >> fixup protocol sip udp 5060
    >> fixup protocol skinny 2000
    >> fixup protocol smtp 25
    >> fixup protocol sqlnet 1521
    >> fixup protocol tftp 69
    >> names
    >> object-group service TS tcp description Terminal Services
    >> port-object range 3389 3389 access-list outside_access_in remark
    >> Terminal Service
    >> access-list outside_access_in permit tcp any object-group TS any
    >> object-group TS access-list outside_access_in permit tcp any any
    >> access-list inside_outbound_nat0_acl permit ip any any access-list
    >> outside_cryptomap_20 permit ip any any pager lines 24
    >> mtu outside 1500
    >> mtu inside 1500
    >> ip address outside pppoe setroute
    >> ip address inside 192.168.5.1 255.255.255.0
    >> ip audit info action alarm
    >> ip audit attack action alarm
    >> pdm logging informational 100
    >> pdm history enable
    >> arp timeout 14400
    >> global (outside) 1 interface
    >> nat (inside) 0 access-list inside_outbound_nat0_acl
    >> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >> access-group outside_access_in in interface outside
    >> timeout xlate 0:05:00
    >> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    >> 1:00:00
    >> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    >> timeout uauth 0:05:00 absolute
    >> aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+
    >> max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS
    >> protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS
    >> deadtime 10 aaa-server LOCAL protocol local http server enable
    >> http 192.168.5.0 255.255.255.0 inside
    >> no snmp-server location
    >> no snmp-server contact
    >> snmp-server community public
    >> no snmp-server enable traps
    >> floodguard enable
    >> sysopt connection permit-ipsec
    >> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map
    >> outside_map 20 ipsec-isakmp
    >> crypto map outside_map 20 match address outside_cryptomap_20
    >> crypto map outside_map 20 set peer 64.*.*.130
    >> crypto map outside_map 20 set transform-set ESP-3DES-MD5
    >> crypto map outside_map interface outside
    >> isakmp enable outside
    >> isakmp key ******** address 64.*.*.130 netmask 255.255.255.255 no-xauth
    >> no-config-mode isakmp policy 20 authentication pre-share
    >> isakmp policy 20 encryption 3des
    >> isakmp policy 20 hash md5
    >> isakmp policy 20 group 2
    >> isakmp policy 20 lifetime 86400
    >> telnet timeout 5
    >> ssh timeout 5
    >> console timeout 0
    >> vpdn group pppoe_group request dialout pppoe
    >> vpdn group pppoe_group localname
    >> vpdn group pppoe_group ppp authentication pap
    >> vpdn username ********@bellsouth.net password ********* dhcpd address
    >> 192.168.5.101-192.168.5.130 inside
    >> dhcpd lease 3600
    >> dhcpd ping_timeout 750
    >> dhcpd auto_config outside
    >> dhcpd enable inside
    >> terminal width 80
    >> Cryptochecksum:dab3a0bc64544b17707687cb91714f44
    >> : end
    >> [OK]

    >
    >
    >
    >
    > Walter Roberson wrote:
    >> In article <92Uzg.12431$>,
    >> cdoc <> wrote:
    >>> Thanks Walter
    >>> If I post my config here tomorrow will you give it a look?

    >>
    >> Yes, if I have time.




    access-list inside_outbound_nat0_acl permit ip any any
    access-list outside_cryptomap_20 permit ip any any

    Both of these lines are bad. The first line is telling it not to NAT
    anything. This alone breaks your internet connection. It should be
    specifying source and destination networks of the VPN tunnel.

    Second line is essentialy telling it to send everything in to the VPN
    tunnel. Like above it should only have your source and destination networks
    in there.

    99.999% of the time these 2 lists should be identical when only using 1
    tunnel. When using more than 1 tunnel the Nat0 list should be equal to all
    all the crypto match lists.

    Another thing you have in your config which is a huge security risk in the
    permit tcp any any statement on your outside ACL. Where you do not have any
    statics, there is really no need for the outside ACL.

    -Brian
     
    Brian V, Aug 3, 2006
    #6
  7. cdoc

    cdoc Guest

    Thanks Brian
    If my lan subnet on this side is 192.168.5.0 and the remote lan is
    192.168.100.0 what should the syntax on these two entries be?
    Thanks again for your help.

    Brian V wrote:
    > "cdoc" <> wrote in message
    > news:zb9Ag.27590$...
    >> Walter
    >> Here is my config. Can you give me some guidance on this. I really
    >> appreciate the help.
    >>
    >>
    >>> Building configuration...
    >>> : Saved
    >>> :
    >>> PIX Version 6.3(5)
    >>> interface ethernet0 auto
    >>> interface ethernet1 100full
    >>> nameif ethernet0 outside security0
    >>> nameif ethernet1 inside security100
    >>> enable password TiYlTGGdqAj1P3O1 encrypted
    >>> passwd 2KFQnbNIdI.2KYOU encrypted
    >>> hostname pixfirewall
    >>> domain-name ciscopix.com
    >>> fixup protocol dns maximum-length 512
    >>> fixup protocol ftp 21
    >>> fixup protocol h323 h225 1720
    >>> fixup protocol h323 ras 1718-1719
    >>> fixup protocol http 80
    >>> fixup protocol rsh 514
    >>> fixup protocol rtsp 554
    >>> fixup protocol sip 5060
    >>> fixup protocol sip udp 5060
    >>> fixup protocol skinny 2000
    >>> fixup protocol smtp 25
    >>> fixup protocol sqlnet 1521
    >>> fixup protocol tftp 69
    >>> names
    >>> object-group service TS tcp description Terminal Services
    >>> port-object range 3389 3389 access-list outside_access_in remark
    >>> Terminal Service
    >>> access-list outside_access_in permit tcp any object-group TS any
    >>> object-group TS access-list outside_access_in permit tcp any any
    >>> access-list inside_outbound_nat0_acl permit ip any any access-list
    >>> outside_cryptomap_20 permit ip any any pager lines 24
    >>> mtu outside 1500
    >>> mtu inside 1500
    >>> ip address outside pppoe setroute
    >>> ip address inside 192.168.5.1 255.255.255.0
    >>> ip audit info action alarm
    >>> ip audit attack action alarm
    >>> pdm logging informational 100
    >>> pdm history enable
    >>> arp timeout 14400
    >>> global (outside) 1 interface
    >>> nat (inside) 0 access-list inside_outbound_nat0_acl
    >>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >>> access-group outside_access_in in interface outside
    >>> timeout xlate 0:05:00
    >>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    >>> 1:00:00
    >>> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >>> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    >>> timeout uauth 0:05:00 absolute
    >>> aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+
    >>> max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS
    >>> protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS
    >>> deadtime 10 aaa-server LOCAL protocol local http server enable
    >>> http 192.168.5.0 255.255.255.0 inside
    >>> no snmp-server location
    >>> no snmp-server contact
    >>> snmp-server community public
    >>> no snmp-server enable traps
    >>> floodguard enable
    >>> sysopt connection permit-ipsec
    >>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map
    >>> outside_map 20 ipsec-isakmp
    >>> crypto map outside_map 20 match address outside_cryptomap_20
    >>> crypto map outside_map 20 set peer 64.*.*.130
    >>> crypto map outside_map 20 set transform-set ESP-3DES-MD5
    >>> crypto map outside_map interface outside
    >>> isakmp enable outside
    >>> isakmp key ******** address 64.*.*.130 netmask 255.255.255.255 no-xauth
    >>> no-config-mode isakmp policy 20 authentication pre-share
    >>> isakmp policy 20 encryption 3des
    >>> isakmp policy 20 hash md5
    >>> isakmp policy 20 group 2
    >>> isakmp policy 20 lifetime 86400
    >>> telnet timeout 5
    >>> ssh timeout 5
    >>> console timeout 0
    >>> vpdn group pppoe_group request dialout pppoe
    >>> vpdn group pppoe_group localname
    >>> vpdn group pppoe_group ppp authentication pap
    >>> vpdn username ********@bellsouth.net password ********* dhcpd address
    >>> 192.168.5.101-192.168.5.130 inside
    >>> dhcpd lease 3600
    >>> dhcpd ping_timeout 750
    >>> dhcpd auto_config outside
    >>> dhcpd enable inside
    >>> terminal width 80
    >>> Cryptochecksum:dab3a0bc64544b17707687cb91714f44
    >>> : end
    >>> [OK]

    >>
    >>
    >>
    >> Walter Roberson wrote:
    >>> In article <92Uzg.12431$>,
    >>> cdoc <> wrote:
    >>>> Thanks Walter
    >>>> If I post my config here tomorrow will you give it a look?
    >>> Yes, if I have time.

    >
    >
    >
    > access-list inside_outbound_nat0_acl permit ip any any
    > access-list outside_cryptomap_20 permit ip any any
    >
    > Both of these lines are bad. The first line is telling it not to NAT
    > anything. This alone breaks your internet connection. It should be
    > specifying source and destination networks of the VPN tunnel.
    >
    > Second line is essentialy telling it to send everything in to the VPN
    > tunnel. Like above it should only have your source and destination networks
    > in there.
    >
    > 99.999% of the time these 2 lists should be identical when only using 1
    > tunnel. When using more than 1 tunnel the Nat0 list should be equal to all
    > all the crypto match lists.
    >
    > Another thing you have in your config which is a huge security risk in the
    > permit tcp any any statement on your outside ACL. Where you do not have any
    > statics, there is really no need for the outside ACL.
    >
    > -Brian
    >
    >
     
    cdoc, Aug 3, 2006
    #7
  8. cdoc

    cdoc Guest

    PS
    I indeed only have one vpn connection.

    cdoc wrote:
    > Thanks Brian
    > If my lan subnet on this side is 192.168.5.0 and the remote lan is
    > 192.168.100.0 what should the syntax on these two entries be?
    > Thanks again for your help.
    >
    > Brian V wrote:
    >> "cdoc" <> wrote in message
    >> news:zb9Ag.27590$...
    >>> Walter
    >>> Here is my config. Can you give me some guidance on this. I really
    >>> appreciate the help.
    >>>
    >>>
    >>>> Building configuration...
    >>>> : Saved
    >>>> :
    >>>> PIX Version 6.3(5)
    >>>> interface ethernet0 auto
    >>>> interface ethernet1 100full
    >>>> nameif ethernet0 outside security0
    >>>> nameif ethernet1 inside security100
    >>>> enable password TiYlTGGdqAj1P3O1 encrypted
    >>>> passwd 2KFQnbNIdI.2KYOU encrypted
    >>>> hostname pixfirewall
    >>>> domain-name ciscopix.com
    >>>> fixup protocol dns maximum-length 512
    >>>> fixup protocol ftp 21
    >>>> fixup protocol h323 h225 1720
    >>>> fixup protocol h323 ras 1718-1719
    >>>> fixup protocol http 80
    >>>> fixup protocol rsh 514
    >>>> fixup protocol rtsp 554
    >>>> fixup protocol sip 5060
    >>>> fixup protocol sip udp 5060
    >>>> fixup protocol skinny 2000
    >>>> fixup protocol smtp 25
    >>>> fixup protocol sqlnet 1521
    >>>> fixup protocol tftp 69
    >>>> names
    >>>> object-group service TS tcp description Terminal Services
    >>>> port-object range 3389 3389 access-list outside_access_in remark
    >>>> Terminal Service
    >>>> access-list outside_access_in permit tcp any object-group TS any
    >>>> object-group TS access-list outside_access_in permit tcp any any
    >>>> access-list inside_outbound_nat0_acl permit ip any any access-list
    >>>> outside_cryptomap_20 permit ip any any pager lines 24
    >>>> mtu outside 1500
    >>>> mtu inside 1500
    >>>> ip address outside pppoe setroute
    >>>> ip address inside 192.168.5.1 255.255.255.0
    >>>> ip audit info action alarm
    >>>> ip audit attack action alarm
    >>>> pdm logging informational 100
    >>>> pdm history enable
    >>>> arp timeout 14400
    >>>> global (outside) 1 interface
    >>>> nat (inside) 0 access-list inside_outbound_nat0_acl
    >>>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >>>> access-group outside_access_in in interface outside
    >>>> timeout xlate 0:05:00
    >>>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
    >>>> h225 1:00:00
    >>>> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >>>> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    >>>> timeout uauth 0:05:00 absolute
    >>>> aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+
    >>>> max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server
    >>>> RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3
    >>>> aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http
    >>>> server enable
    >>>> http 192.168.5.0 255.255.255.0 inside
    >>>> no snmp-server location
    >>>> no snmp-server contact
    >>>> snmp-server community public
    >>>> no snmp-server enable traps
    >>>> floodguard enable
    >>>> sysopt connection permit-ipsec
    >>>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto
    >>>> map outside_map 20 ipsec-isakmp
    >>>> crypto map outside_map 20 match address outside_cryptomap_20
    >>>> crypto map outside_map 20 set peer 64.*.*.130
    >>>> crypto map outside_map 20 set transform-set ESP-3DES-MD5
    >>>> crypto map outside_map interface outside
    >>>> isakmp enable outside
    >>>> isakmp key ******** address 64.*.*.130 netmask 255.255.255.255
    >>>> no-xauth no-config-mode isakmp policy 20 authentication pre-share
    >>>> isakmp policy 20 encryption 3des
    >>>> isakmp policy 20 hash md5
    >>>> isakmp policy 20 group 2
    >>>> isakmp policy 20 lifetime 86400
    >>>> telnet timeout 5
    >>>> ssh timeout 5
    >>>> console timeout 0
    >>>> vpdn group pppoe_group request dialout pppoe
    >>>> vpdn group pppoe_group localname
    >>>> vpdn group pppoe_group ppp authentication pap
    >>>> vpdn username ********@bellsouth.net password ********* dhcpd
    >>>> address 192.168.5.101-192.168.5.130 inside
    >>>> dhcpd lease 3600
    >>>> dhcpd ping_timeout 750
    >>>> dhcpd auto_config outside
    >>>> dhcpd enable inside
    >>>> terminal width 80
    >>>> Cryptochecksum:dab3a0bc64544b17707687cb91714f44
    >>>> : end
    >>>> [OK]
    >>>
    >>>
    >>>
    >>> Walter Roberson wrote:
    >>>> In article <92Uzg.12431$>,
    >>>> cdoc <> wrote:
    >>>>> Thanks Walter
    >>>>> If I post my config here tomorrow will you give it a look?
    >>>> Yes, if I have time.

    >>
    >>
    >>
    >> access-list inside_outbound_nat0_acl permit ip any any
    >> access-list outside_cryptomap_20 permit ip any any
    >>
    >> Both of these lines are bad. The first line is telling it not to NAT
    >> anything. This alone breaks your internet connection. It should be
    >> specifying source and destination networks of the VPN tunnel.
    >>
    >> Second line is essentialy telling it to send everything in to the VPN
    >> tunnel. Like above it should only have your source and destination
    >> networks in there.
    >>
    >> 99.999% of the time these 2 lists should be identical when only using
    >> 1 tunnel. When using more than 1 tunnel the Nat0 list should be equal
    >> to all all the crypto match lists.
    >>
    >> Another thing you have in your config which is a huge security risk in
    >> the permit tcp any any statement on your outside ACL. Where you do not
    >> have any statics, there is really no need for the outside ACL.
    >>
    >> -Brian
    >>
     
    cdoc, Aug 3, 2006
    #8
  9. cdoc

    cdoc Guest

    Should it be

    access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
    192.168.5.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
    192.168.5.0 255.255.255.0




    cdoc wrote:
    > PS
    > I indeed only have one vpn connection.
    >
    > cdoc wrote:
    >> Thanks Brian
    >> If my lan subnet on this side is 192.168.5.0 and the remote lan is
    >> 192.168.100.0 what should the syntax on these two entries be?
    >> Thanks again for your help.
    >>
    >> Brian V wrote:
    >>> "cdoc" <> wrote in message
    >>> news:zb9Ag.27590$...
    >>>> Walter
    >>>> Here is my config. Can you give me some guidance on this. I really
    >>>> appreciate the help.
    >>>>
    >>>>
    >>>>> Building configuration...
    >>>>> : Saved
    >>>>> :
    >>>>> PIX Version 6.3(5)
    >>>>> interface ethernet0 auto
    >>>>> interface ethernet1 100full
    >>>>> nameif ethernet0 outside security0
    >>>>> nameif ethernet1 inside security100
    >>>>> enable password TiYlTGGdqAj1P3O1 encrypted
    >>>>> passwd 2KFQnbNIdI.2KYOU encrypted
    >>>>> hostname pixfirewall
    >>>>> domain-name ciscopix.com
    >>>>> fixup protocol dns maximum-length 512
    >>>>> fixup protocol ftp 21
    >>>>> fixup protocol h323 h225 1720
    >>>>> fixup protocol h323 ras 1718-1719
    >>>>> fixup protocol http 80
    >>>>> fixup protocol rsh 514
    >>>>> fixup protocol rtsp 554
    >>>>> fixup protocol sip 5060
    >>>>> fixup protocol sip udp 5060
    >>>>> fixup protocol skinny 2000
    >>>>> fixup protocol smtp 25
    >>>>> fixup protocol sqlnet 1521
    >>>>> fixup protocol tftp 69
    >>>>> names
    >>>>> object-group service TS tcp description Terminal Services
    >>>>> port-object range 3389 3389 access-list outside_access_in remark
    >>>>> Terminal Service
    >>>>> access-list outside_access_in permit tcp any object-group TS any
    >>>>> object-group TS access-list outside_access_in permit tcp any any
    >>>>> access-list inside_outbound_nat0_acl permit ip any any access-list
    >>>>> outside_cryptomap_20 permit ip any any pager lines 24
    >>>>> mtu outside 1500
    >>>>> mtu inside 1500
    >>>>> ip address outside pppoe setroute
    >>>>> ip address inside 192.168.5.1 255.255.255.0
    >>>>> ip audit info action alarm
    >>>>> ip audit attack action alarm
    >>>>> pdm logging informational 100
    >>>>> pdm history enable
    >>>>> arp timeout 14400
    >>>>> global (outside) 1 interface
    >>>>> nat (inside) 0 access-list inside_outbound_nat0_acl
    >>>>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >>>>> access-group outside_access_in in interface outside
    >>>>> timeout xlate 0:05:00
    >>>>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
    >>>>> h225 1:00:00
    >>>>> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >>>>> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    >>>>> timeout uauth 0:05:00 absolute
    >>>>> aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+
    >>>>> max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server
    >>>>> RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3
    >>>>> aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http
    >>>>> server enable
    >>>>> http 192.168.5.0 255.255.255.0 inside
    >>>>> no snmp-server location
    >>>>> no snmp-server contact
    >>>>> snmp-server community public
    >>>>> no snmp-server enable traps
    >>>>> floodguard enable
    >>>>> sysopt connection permit-ipsec
    >>>>> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    >>>>> crypto map outside_map 20 ipsec-isakmp
    >>>>> crypto map outside_map 20 match address outside_cryptomap_20
    >>>>> crypto map outside_map 20 set peer 64.*.*.130
    >>>>> crypto map outside_map 20 set transform-set ESP-3DES-MD5
    >>>>> crypto map outside_map interface outside
    >>>>> isakmp enable outside
    >>>>> isakmp key ******** address 64.*.*.130 netmask 255.255.255.255
    >>>>> no-xauth no-config-mode isakmp policy 20 authentication pre-share
    >>>>> isakmp policy 20 encryption 3des
    >>>>> isakmp policy 20 hash md5
    >>>>> isakmp policy 20 group 2
    >>>>> isakmp policy 20 lifetime 86400
    >>>>> telnet timeout 5
    >>>>> ssh timeout 5
    >>>>> console timeout 0
    >>>>> vpdn group pppoe_group request dialout pppoe
    >>>>> vpdn group pppoe_group localname
    >>>>> vpdn group pppoe_group ppp authentication pap
    >>>>> vpdn username ********@bellsouth.net password ********* dhcpd
    >>>>> address 192.168.5.101-192.168.5.130 inside
    >>>>> dhcpd lease 3600
    >>>>> dhcpd ping_timeout 750
    >>>>> dhcpd auto_config outside
    >>>>> dhcpd enable inside
    >>>>> terminal width 80
    >>>>> Cryptochecksum:dab3a0bc64544b17707687cb91714f44
    >>>>> : end
    >>>>> [OK]
    >>>>
    >>>>
    >>>>
    >>>> Walter Roberson wrote:
    >>>>> In article <92Uzg.12431$>,
    >>>>> cdoc <> wrote:
    >>>>>> Thanks Walter
    >>>>>> If I post my config here tomorrow will you give it a look?
    >>>>> Yes, if I have time.
    >>>
    >>>
    >>>
    >>> access-list inside_outbound_nat0_acl permit ip any any
    >>> access-list outside_cryptomap_20 permit ip any any
    >>>
    >>> Both of these lines are bad. The first line is telling it not to NAT
    >>> anything. This alone breaks your internet connection. It should be
    >>> specifying source and destination networks of the VPN tunnel.
    >>>
    >>> Second line is essentialy telling it to send everything in to the VPN
    >>> tunnel. Like above it should only have your source and destination
    >>> networks in there.
    >>>
    >>> 99.999% of the time these 2 lists should be identical when only using
    >>> 1 tunnel. When using more than 1 tunnel the Nat0 list should be equal
    >>> to all all the crypto match lists.
    >>>
    >>> Another thing you have in your config which is a huge security risk
    >>> in the permit tcp any any statement on your outside ACL. Where you do
    >>> not have any statics, there is really no need for the outside ACL.
    >>>
    >>> -Brian
    >>>
     
    cdoc, Aug 3, 2006
    #9
  10. cdoc

    Brian V Guest

    "cdoc" <> wrote in message
    news:HmcAg.19106$...
    > Should it be
    >
    > access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
    > 192.168.5.0 255.255.255.0
    > access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
    > 192.168.5.0 255.255.255.0
    >
    >
    >
    >
    > cdoc wrote:
    >> PS
    >> I indeed only have one vpn connection.
    >>
    >> cdoc wrote:
    >>> Thanks Brian
    >>> If my lan subnet on this side is 192.168.5.0 and the remote lan is
    >>> 192.168.100.0 what should the syntax on these two entries be?
    >>> Thanks again for your help.
    >>>

    <snip>

    If internal is 192.168.5.X and the remote is 192.168.1.X use:
    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    192.168.1.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    192.168.1.0 255.255.255.0

    If internal is 192.168.5.X and the remote is 192.168.100.X use:
    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    192.168.100.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    192.168.100.0 255.255.255.0
     
    Brian V, Aug 3, 2006
    #10
  11. cdoc

    cdoc Guest

    Brian
    The internal is 192.168.5.0 and the remote outside is 64.*.*.* and the
    remote internal is 192.168.100.0

    Can I assume that the syntax is

    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    192.168.100.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    192.168.100.0 255.255.255.0

    I really appreciate this help BTW


    Brian V wrote:
    > "cdoc" <> wrote in message
    > news:HmcAg.19106$...
    >> Should it be
    >>
    >> access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
    >> 192.168.5.0 255.255.255.0
    >> access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
    >> 192.168.5.0 255.255.255.0
    >>
    >>
    >>
    >>
    >> cdoc wrote:
    >>> PS
    >>> I indeed only have one vpn connection.
    >>>
    >>> cdoc wrote:
    >>>> Thanks Brian
    >>>> If my lan subnet on this side is 192.168.5.0 and the remote lan is
    >>>> 192.168.100.0 what should the syntax on these two entries be?
    >>>> Thanks again for your help.
    >>>>

    > <snip>
    >
    > If internal is 192.168.5.X and the remote is 192.168.1.X use:
    > access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    > 192.168.1.0 255.255.255.0
    > access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    > 192.168.1.0 255.255.255.0
    >
    > If internal is 192.168.5.X and the remote is 192.168.100.X use:
    > access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    > 192.168.100.0 255.255.255.0
    > access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    > 192.168.100.0 255.255.255.0
    >
    >
    >
    >
     
    cdoc, Aug 3, 2006
    #11
  12. cdoc

    Brian V Guest

    Yes, that is correct.

    > Brian
    > The internal is 192.168.5.0 and the remote outside is 64.*.*.* and the
    > remote internal is 192.168.100.0
    >
    > Can I assume that the syntax is
    >
    > access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    > 192.168.100.0 255.255.255.0
    > access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    > 192.168.100.0 255.255.255.0
    >
    > I really appreciate this help BTW
    >
    >
    > Brian V wrote:
    >> "cdoc" <> wrote in message
    >> news:HmcAg.19106$...
    >>> Should it be
    >>>
    >>> access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
    >>> 192.168.5.0 255.255.255.0
    >>> access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
    >>> 192.168.5.0 255.255.255.0
    >>>
    >>>
    >>>
    >>>
    >>> cdoc wrote:
    >>>> PS
    >>>> I indeed only have one vpn connection.
    >>>>
    >>>> cdoc wrote:
    >>>>> Thanks Brian
    >>>>> If my lan subnet on this side is 192.168.5.0 and the remote lan is
    >>>>> 192.168.100.0 what should the syntax on these two entries be?
    >>>>> Thanks again for your help.
    >>>>>

    >> <snip>
    >>
    >> If internal is 192.168.5.X and the remote is 192.168.1.X use:
    >> access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    >> 192.168.1.0 255.255.255.0
    >> access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    >> 192.168.1.0 255.255.255.0
    >>
    >> If internal is 192.168.5.X and the remote is 192.168.100.X use:
    >> access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    >> 192.168.100.0 255.255.255.0
    >> access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    >> 192.168.100.0 255.255.255.0
    >>
    >>
     
    Brian V, Aug 3, 2006
    #12
  13. cdoc

    cdoc Guest

    Thanks Brian, that did it.
    I appreciate you taking your time to help me.


    Brian V wrote:
    > Yes, that is correct.
    >
    >> Brian
    >> The internal is 192.168.5.0 and the remote outside is 64.*.*.* and the
    >> remote internal is 192.168.100.0
    >>
    >> Can I assume that the syntax is
    >>
    >> access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    >> 192.168.100.0 255.255.255.0
    >> access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    >> 192.168.100.0 255.255.255.0
    >>
    >> I really appreciate this help BTW
    >>
    >>
    >> Brian V wrote:
    >>> "cdoc" <> wrote in message
    >>> news:HmcAg.19106$...
    >>>> Should it be
    >>>>
    >>>> access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
    >>>> 192.168.5.0 255.255.255.0
    >>>> access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
    >>>> 192.168.5.0 255.255.255.0
    >>>>
    >>>>
    >>>>
    >>>>
    >>>> cdoc wrote:
    >>>>> PS
    >>>>> I indeed only have one vpn connection.
    >>>>>
    >>>>> cdoc wrote:
    >>>>>> Thanks Brian
    >>>>>> If my lan subnet on this side is 192.168.5.0 and the remote lan is
    >>>>>> 192.168.100.0 what should the syntax on these two entries be?
    >>>>>> Thanks again for your help.
    >>>>>>
    >>> <snip>
    >>>
    >>> If internal is 192.168.5.X and the remote is 192.168.1.X use:
    >>> access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    >>> 192.168.1.0 255.255.255.0
    >>> access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    >>> 192.168.1.0 255.255.255.0
    >>>
    >>> If internal is 192.168.5.X and the remote is 192.168.100.X use:
    >>> access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    >>> 192.168.100.0 255.255.255.0
    >>> access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    >>> 192.168.100.0 255.255.255.0
    >>>
    >>>

    >
    >
    >
     
    cdoc, Aug 5, 2006
    #13
  14. cdoc

    Brian V Guest

    Very welcome.


    "cdoc" <> wrote in message
    news:H%4Bg.16968$...
    > Thanks Brian, that did it.
    > I appreciate you taking your time to help me.
    >
    >
    > Brian V wrote:
    >> Yes, that is correct.
    >>
    >>> Brian
    >>> The internal is 192.168.5.0 and the remote outside is 64.*.*.* and the
    >>> remote internal is 192.168.100.0
    >>>
    >>> Can I assume that the syntax is
    >>>
    >>> access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    >>> 192.168.100.0 255.255.255.0
    >>> access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    >>> 192.168.100.0 255.255.255.0
    >>>
    >>> I really appreciate this help BTW
    >>>
    >>>
    >>> Brian V wrote:
    >>>> "cdoc" <> wrote in message
    >>>> news:HmcAg.19106$...
    >>>>> Should it be
    >>>>>
    >>>>> access-list inside_outbound_nat0_acl permit ip 192.168.1.0
    >>>>> 255.255.255.0 192.168.5.0 255.255.255.0
    >>>>> access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
    >>>>> 192.168.5.0 255.255.255.0
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>> cdoc wrote:
    >>>>>> PS
    >>>>>> I indeed only have one vpn connection.
    >>>>>>
    >>>>>> cdoc wrote:
    >>>>>>> Thanks Brian
    >>>>>>> If my lan subnet on this side is 192.168.5.0 and the remote lan is
    >>>>>>> 192.168.100.0 what should the syntax on these two entries be?
    >>>>>>> Thanks again for your help.
    >>>>>>>
    >>>> <snip>
    >>>>
    >>>> If internal is 192.168.5.X and the remote is 192.168.1.X use:
    >>>> access-list inside_outbound_nat0_acl permit ip 192.168.5.0
    >>>> 255.255.255.0 192.168.1.0 255.255.255.0
    >>>> access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    >>>> 192.168.1.0 255.255.255.0
    >>>>
    >>>> If internal is 192.168.5.X and the remote is 192.168.100.X use:
    >>>> access-list inside_outbound_nat0_acl permit ip 192.168.5.0
    >>>> 255.255.255.0 192.168.100.0 255.255.255.0
    >>>> access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    >>>> 192.168.100.0 255.255.255.0
    >>>>
    >>>>

    >>
    >>
     
    Brian V, Aug 5, 2006
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Warren Turner
    Replies:
    0
    Views:
    2,180
    Warren Turner
    Jan 9, 2004
  2. Elise
    Replies:
    6
    Views:
    853
    John Rennie
    May 22, 2004
  3. Alan Biddle

    Lose Internet access after sleep with WRT54G

    Alan Biddle, Nov 20, 2007, in forum: Wireless Networking
    Replies:
    4
    Views:
    725
    Jack \(MVP-Networking\).
    Nov 22, 2007
  4. Lawrence D'Oliveiro

    You lose some, and then you lose some ...

    Lawrence D'Oliveiro, Sep 22, 2006, in forum: NZ Computing
    Replies:
    13
    Views:
    600
    Earl Grey
    Sep 24, 2006
  5. BF
    Replies:
    2
    Views:
    786
Loading...

Share This Page