PIX 506E and Internet Access via VPN

Discussion in 'Cisco' started by Robert Hass, Jun 3, 2006.

  1. Robert Hass

    Robert Hass Guest

    Hi

    I configured PIX 506E as Cisco VPN Server but I've got only 50%
    success. VPN Clients connects successfully to the VPN Server. Access to
    intranet networks (intranet) works fine, but Internet access not. I
    only getting this message in syslog:

    110001: No route to 198.133.219.25 from 192.168.254.1
    110001: No route to 129.42.34.212 from 192.168.254.1

    192.168.254.1 == VPN Client / User IP address
    198.133.219.25, 129.42.34.212 == IP addresses to which user want connect

    Any hints / recommendations about my issue ?



    My PIX 506E configuration:

    -----------------------------------------------------------------------
    ...
    ip address inside 10.0.33.1 255.255.255.0
    ...
    access-list NONAT permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
    access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0
    ...
    ip local pool VPNClient-Pool 192.168.254.1-192.168.254.254
    ...
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    ...
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server RADIUS (outside) host 10.0.33.121 ******* timeout 10
    ...
    sysopt connection permit-ipsec
    ...
    crypto ipsec transform-set VPNClient-TS esp-aes-256 esp-md5-hmac
    crypto dynamic-map VPNClient-DM 10 set transform-set VPNClient-TS
    crypto map VPN 10 ipsec-isakmp dynamic VPNClient-DM
    crypto map VPN client configuration address initiate
    crypto map VPN client configuration address respond
    crypto map VPN client authentication RADIUS
    crypto map VPN interface outside
    ...
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    ...
    vpngroup PIXVPN address-pool VPNClient-Pool
    vpngroup PIXVPN dns-server 10.0.33.3 10.0.33.4
    vpngroup PIXVPN default-domain remotevpn.intranet
    vpngroup PIXVPN idle-time 1800
    vpngroup PIXVPN password ********
    -----------------------------------------------------------------------

    Thanks for help
    Robert
    Robert Hass, Jun 3, 2006
    #1
    1. Advertising

  2. In article <>,
    Robert Hass <> wrote:
    >I configured PIX 506E as Cisco VPN Server but I've got only 50%
    >success. VPN Clients connects successfully to the VPN Server. Access to
    >intranet networks (intranet) works fine, but Internet access not. I
    >only getting this message in syslog:
    >110001: No route to 198.133.219.25 from 192.168.254.1


    When the clients are attempting to access the internet, do you
    want that internet traffic to go directly from the client to the
    destination, or do you want that internet traffic to first go
    to you and you pass it on to the internet on behalf of the client?

    If you want the traffic to go direct, then you need to use
    a vpngroup split-tunnel statement.

    If you want the traffic to go to you and you pass it on, then
    your LAN router would need to support 802.1Q VLANs and you would
    have to split your public address space.
    Walter Roberson, Jun 4, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. yar
    Replies:
    4
    Views:
    1,618
    Juan Carlos \(El fortinero\)
    Sep 21, 2004
  2. Kai
    Replies:
    0
    Views:
    7,601
  3. Rohan
    Replies:
    1
    Views:
    1,349
    tweety
    Nov 29, 2006
  4. Thomas
    Replies:
    4
    Views:
    354
    Thomas
    Dec 14, 2006
  5. Laurent
    Replies:
    2
    Views:
    561
    Laurent
    Mar 1, 2008
Loading...

Share This Page