Pix 501: VPN client connects but Internet doesen't work

Discussion in 'Cisco' started by maram66, Aug 4, 2008.

  1. maram66

    maram66 Guest

    PIX 501
    Office network: 172.16.1.0/24
    Cisco VPN adapter on my laptop: 172.16.1.141
    My laptop network: 172.16.8.0/24
    Laptop IP in laptop network: 172.16.8.101

    VPN client connects fine, the tunnel is established and I can ping the
    office machines.
    But internet doesen't work. This is what I get on my laptop:
    Aktive Routen:
    Netzwerkziel Netzwerkmaske Gateway Schnittstelle
    Anzahl
    0.0.0.0 0.0.0.0 172.16.1.141
    172.16.1.141 1
    172.16.0.0 255.255.0.0 172.16.1.141
    172.16.1.141 20
    172.16.1.141 255.255.255.255 127.0.0.1
    127.0.0.1 20
    172.16.8.0 255.255.255.0 172.16.8.101
    172.16.8.101 20
    ....

    pinging IPs on my local laptop network doesen't work, pinging internet
    IPs doesen't work, pinging office network IPs works! If I disconnect
    the VPN client then Local network and Internet work but office network
    is not reacahble.

    I guess I should somehow reconfigure the routing table because the
    first line in the routing table routes all the traffic through
    172.16.1.141 and not 172.16.8.1 (gateway on laptop network).
    I could try to play with the routing table on my laptop, but should't
    it be automatically set by Cisco adapter/client? How do I fix that?

    This is the PIX config:

    : Saved
    : Written by enable_15 at 14:26:37.425 UTC Thu Jul 24 2008
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password JFrBfG.uSnSNNL6W encrypted
    passwd JFrBfG.uSnSNNL6W encrypted
    hostname vpn
    domain-name orbit
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_outbound_nat0_acl permit ip 172.16.1.0
    255.255.255.0 172.16.1.160 255.255.255.224
    access-list inside_outbound_nat0_acl permit ip 172.16.1.0
    255.255.255.0 172.16.1.0 255.255.255.240
    access-list inside_outbound_nat0_acl permit ip 172.16.1.0
    255.255.255.0 172.16.1.128 255.255.255.224
    access-list inside_outbound_nat0_acl permit ip any 172.16.1.128
    255.255.255.224
    access-list outside_cryptomap_dyn_20 permit ip any 172.16.1.128
    255.255.255.224
    access-list ping_acl permit icmp any any echo-reply
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 81.xxx.xxx.xxx 255.255.255.248
    ip address inside 172.16.1.10 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool v10 172.16.1.140-172.16.1.149
    pdm location 172.16.1.0 255.255.255.0 inside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location 192.170.120.100 255.255.255.255 inside
    pdm location 192.170.120.100 255.255.255.255 outside
    pdm location 172.16.1.160 255.255.255.224 outside
    pdm location 172.16.1.0 255.255.255.240 outside
    pdm location 172.16.1.128 255.255.255.224 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 81.xxx.xxx.xxx
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 172.16.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address
    outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup orbit address-pool v10
    vpngroup orbit dns-server 172.16.1.9
    vpngroup orbit wins-server 172.16.1.11
    vpngroup orbit default-domain orbit
    vpngroup orbit idle-time 1800
    vpngroup orbit password ********
    telnet 172.16.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh 172.16.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:dadd07862ca7300fdd141b68760904d2
     
    maram66, Aug 4, 2008
    #1
    1. Advertisements

  2. vpngroup split-tunnel access-list


    http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1099471

    "Use the vpngroup split-tunnel command to enable split tunneling on the PIX Firewall.
    Split tunneling allows a remote VPN client or Easy VPN Remote device simultaneous
    encrypted access to the corporate network and clear access to the Internet. Using
    the vpngroup split-tunnel command, specify the access list name to which to
    associate the split tunnelling of traffic. With split tunnelling enabled, the PIX
    Firewall downloads its local network IP address and netmask specified within the
    associated access list to the VPN client or Easy VPN Remote device as part of the
    policy push to the client. In turn, the VPN client or Easy VPN Remote device sends
    the traffic destined to the specified local PIX Firewall network via an IPSec tunnel
    and all other traffic in the clear. The PIX Firewall receives the IPSec-protected
    packet on its outside interface, decrypts it, and then sends it to its specified
    local network.

    If you do not enable split tunneling, all traffic between the VPN client or Easy
    VPN Remote device and the PIX Firewall is sent through an IPSec tunnel. All traffic
    originating from the VPN client or Easy VPN Remote device is sent to the PIX
    Firewall's outside interface through a tunnel, and the client's access to the
    Internet from its remote site is denied."
     
    Jyri Korhonen, Aug 5, 2008
    #2
    1. Advertisements

  3. vpngroup group_name split-tunnel access_list


    http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1099471

    "Use the vpngroup split-tunnel command to enable split tunneling on the PIX Firewall.
    Split tunneling allows a remote VPN client or Easy VPN Remote device simultaneous
    encrypted access to the corporate network and clear access to the Internet. Using
    the vpngroup split-tunnel command, specify the access list name to which to
    associate the split tunnelling of traffic. With split tunnelling enabled, the PIX
    Firewall downloads its local network IP address and netmask specified within the
    associated access list to the VPN client or Easy VPN Remote device as part of the
    policy push to the client. In turn, the VPN client or Easy VPN Remote device sends
    the traffic destined to the specified local PIX Firewall network via an IPSec tunnel
    and all other traffic in the clear. The PIX Firewall receives the IPSec-protected
    packet on its outside interface, decrypts it, and then sends it to its specified
    local network.

    If you do not enable split tunneling, all traffic between the VPN client or Easy
    VPN Remote device and the PIX Firewall is sent through an IPSec tunnel. All traffic
    originating from the VPN client or Easy VPN Remote device is sent to the PIX
    Firewall's outside interface through a tunnel, and the client's access to the
    Internet from its remote site is denied."
     
    Jyri Korhonen, Aug 5, 2008
    #3
  4. maram66

    maram66 Guest

    Great!!!
    Seems like it works, thank!
    Another question though,

    I have two networks connected with a Gigabit Switch, when I establish
    a VPN Tunnel (PIX 501 + Cisco VPN Client) and try to copy things, the
    speed floats around 512 and 768 Kbps. Am using 3DES and was hoping the
    speed would be above few Mbps (I think 3 Mbps are declared for 3DES).
    Is there some sort of throttle or bandwidth management I should take a
    look at?

    TIA
     
    maram66, Aug 5, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.