Lose internet access when vpn enabled cisco 501

Discussion in 'Cisco' started by cdoc, Aug 1, 2006.

  1. cdoc

    cdoc Guest

    Hello
    I have two vpn one at home and the other at my office. Both setup with
    internet access. NAT enabled on both.
    When I use the VPN wizard with the pdm gui to setup a end to end vpn
    connection, I lose my access out the the internet. Tunnel works fine
    though. If I kill the vpn, I get my internet back.
    Can the pix 501 do both? If so any help on this?
     
    cdoc, Aug 1, 2006
    #1
    1. Advertisements

  2. Yes, the 501 has no problem with that.

    Check to see how you have configured the VPN. If you have configured
    it as a vpngroup then you need to configure 'split-tunnel'. If
    you have configured it as a lan-to-lan VPN then it's just a matter
    of ensuring that the access-list named in your crypto map match address
    statement is restricted to only the addresses you want to go
    through the VPN.
     
    Walter Roberson, Aug 1, 2006
    #2
    1. Advertisements

  3. cdoc

    cdoc Guest

    Thanks Walter
    If I post my config here tomorrow will you give it a look?
    Thanks
     
    cdoc, Aug 2, 2006
    #3
  4. Yes, if I have time.
     
    Walter Roberson, Aug 2, 2006
    #4
  5. cdoc

    cdoc Guest

    Walter
    Here is my config. Can you give me some guidance on this. I really
    appreciate the help.

     
    cdoc, Aug 2, 2006
    #5
  6. cdoc

    Brian V Guest



    access-list inside_outbound_nat0_acl permit ip any any
    access-list outside_cryptomap_20 permit ip any any

    Both of these lines are bad. The first line is telling it not to NAT
    anything. This alone breaks your internet connection. It should be
    specifying source and destination networks of the VPN tunnel.

    Second line is essentialy telling it to send everything in to the VPN
    tunnel. Like above it should only have your source and destination networks
    in there.

    99.999% of the time these 2 lists should be identical when only using 1
    tunnel. When using more than 1 tunnel the Nat0 list should be equal to all
    all the crypto match lists.

    Another thing you have in your config which is a huge security risk in the
    permit tcp any any statement on your outside ACL. Where you do not have any
    statics, there is really no need for the outside ACL.

    -Brian
     
    Brian V, Aug 3, 2006
    #6
  7. cdoc

    cdoc Guest

    Thanks Brian
    If my lan subnet on this side is 192.168.5.0 and the remote lan is
    192.168.100.0 what should the syntax on these two entries be?
    Thanks again for your help.

     
    cdoc, Aug 3, 2006
    #7
  8. cdoc

    cdoc Guest

    PS
    I indeed only have one vpn connection.
     
    cdoc, Aug 3, 2006
    #8
  9. cdoc

    cdoc Guest

    Should it be

    access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
    192.168.5.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
    192.168.5.0 255.255.255.0



     
    cdoc, Aug 3, 2006
    #9
  10. cdoc

    Brian V Guest

    <snip>

    If internal is 192.168.5.X and the remote is 192.168.1.X use:
    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    192.168.1.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    192.168.1.0 255.255.255.0

    If internal is 192.168.5.X and the remote is 192.168.100.X use:
    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    192.168.100.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    192.168.100.0 255.255.255.0
     
    Brian V, Aug 3, 2006
    #10
  11. cdoc

    cdoc Guest

    Brian
    The internal is 192.168.5.0 and the remote outside is 64.*.*.* and the
    remote internal is 192.168.100.0

    Can I assume that the syntax is

    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    192.168.100.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    192.168.100.0 255.255.255.0

    I really appreciate this help BTW
     
    cdoc, Aug 3, 2006
    #11
  12. cdoc

    Brian V Guest

    Yes, that is correct.
     
    Brian V, Aug 3, 2006
    #12
  13. cdoc

    cdoc Guest

    Thanks Brian, that did it.
    I appreciate you taking your time to help me.
     
    cdoc, Aug 5, 2006
    #13
  14. cdoc

    Brian V Guest

    Very welcome.


     
    Brian V, Aug 5, 2006
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.