PIX 506E and Internet Access via VPN

Discussion in 'Cisco' started by Robert Hass, Jun 3, 2006.

  1. Robert Hass

    Robert Hass Guest


    I configured PIX 506E as Cisco VPN Server but I've got only 50%
    success. VPN Clients connects successfully to the VPN Server. Access to
    intranet networks (intranet) works fine, but Internet access not. I
    only getting this message in syslog:

    110001: No route to from
    110001: No route to from == VPN Client / User IP address, == IP addresses to which user want connect

    Any hints / recommendations about my issue ?

    My PIX 506E configuration:

    ip address inside
    access-list NONAT permit ip
    access-list NONAT permit ip
    ip local pool VPNClient-Pool
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0 0
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server RADIUS (outside) host ******* timeout 10
    sysopt connection permit-ipsec
    crypto ipsec transform-set VPNClient-TS esp-aes-256 esp-md5-hmac
    crypto dynamic-map VPNClient-DM 10 set transform-set VPNClient-TS
    crypto map VPN 10 ipsec-isakmp dynamic VPNClient-DM
    crypto map VPN client configuration address initiate
    crypto map VPN client configuration address respond
    crypto map VPN client authentication RADIUS
    crypto map VPN interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup PIXVPN address-pool VPNClient-Pool
    vpngroup PIXVPN dns-server
    vpngroup PIXVPN default-domain remotevpn.intranet
    vpngroup PIXVPN idle-time 1800
    vpngroup PIXVPN password ********
    Robert Hass, Jun 3, 2006
    1. Advertisements

  2. When the clients are attempting to access the internet, do you
    want that internet traffic to go directly from the client to the
    destination, or do you want that internet traffic to first go
    to you and you pass it on to the internet on behalf of the client?

    If you want the traffic to go direct, then you need to use
    a vpngroup split-tunnel statement.

    If you want the traffic to go to you and you pass it on, then
    your LAN router would need to support 802.1Q VLANs and you would
    have to split your public address space.
    Walter Roberson, Jun 4, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.