1. Home
  2. Cisco Systems
  3. PIX 501-Can not go to Internet

PIX 501-Can not go to Internet

Hi there, I have a problem with my PIX 501, when the VPN is up user can go to Internet but when s2s VPN is down no Internet for users behind the PIX

501, can someone take a look at my 501 settings and tell me why I cannot get Internet connectivity? Rob

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname PIX501 domain-name domain-501 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 102 permit ip 192.168.101.0 255.255.255.0 10.10.0.0 255.255.0.0 pager lines 24 mtu outside 1400 mtu inside 1500 ip address outside 64.235.102.34 255.255.255.192 ip address inside 192.168.101.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.101.0 255.255.255.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 102 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 64.235.102.35 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection tcpmss 1000 sysopt connection permit-ipsec crypto ipsec transform-set abc esp-3des esp-md5-hmac crypto map xyz 1 ipsec-isakmp crypto map xyz 1 match address 102 crypto map xyz 1 set peer 64.7.140.92 crypto map xyz 1 set peer 199.71.187.17 crypto map xyz 1 set transform-set abc crypto map xyz interface outside isakmp enable outside isakmp key ******** address 64.7.140.92 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 telnet 10.10.0.0 255.255.0.0 inside telnet 192.168.101.0 255.255.255.0 inside telnet timeout 5 management-access inside console timeout 0 dhcpd address 192.168.101.30-192.168.101.40 inside dhcpd dns 10.10.5.2 64.235.98.226 dhcpd wins 10.10.5.2 10.10.5.5 dhcpd lease 50000 dhcpd ping_timeout 750 dhcpd domain wellington dhcpd auto_config outside dhcpd enable inside terminal width 80
Reply to
Rob
Loading thread data ...

Maybe the DNS server at IP 10.10.5.2 doesn't work when VPN is down.

Reply to
Jyri Korhonen

Well, I can not even Ping an outside host, so it shouldnt be DNS problem, I guess. On PIX box I can ping outside.

Reply to
Rob

Hello,

When you are successfully able to connect to the Internet when the tunnel is up, what is your source IP address as seen by Internet hosts? Google what is my ip address and go to one of those sites to determine it. Is it an IP address you recognize? Any chance you are routing Internet traffic through the VPN tunnel. Also I do not see outbound rules on the inside interface permitting outbound internet traffic originating from Inside to Outside (Internet). Not sure about this specific pix code version, but some versions allowed option to bypass interface acls for tunneled traffic and that is why Internet access may be working when the tunnel is up and not working when the tunnel is down. my 2 cents.

Regards

Reply to
jrguent

Hello,

When you are successfully able to connect to the Internet when the tunnel is up, what is your source IP address as seen by Internet hosts? Google what is my ip address and go to one of those sites to determine it. Is it an IP address you recognize? Any chance you are routing Internet traffic through the VPN tunnel. Also I do not see outbound rules on the inside interface permitting outbound internet traffic originating from Inside to Outside (Internet). Not sure about this specific pix code version, but some versions allowed option to bypass interface acls for tunneled traffic and that is why Internet access may be working when the tunnel is up and not working when the tunnel is down. my 2 cents.

Regards

--------------

yes, I guess I am routing Internet traffic through the VPN tunnel, but not sure how to change it. I dont think if I need outbound rules on the inside interface on a pix box but I am not completely sure. do I need both:

nat (inside) 0 access-list 102 nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Rob

Reply to
Rob

Hello,

Stated another way, you may need rules applied inbound on the inside interface ("access-group inside_access_in in interface inside", PDM would add this command by default).

example rule would be

access-list inside_access_in extended permit tcp 192.168.101.0

255.255.255.0 any eq http

for web browsing.

Without these rules, this may be why there is no Internet access without the VPN tunnel being up.

yes you would need both of these NAT commands, else your current vpn would not work without changing definition of tunneled traffic (cryptomap ACLs)

nat (inside) 0 access-list 102 This command allows VPN tunneled traffic to bypass the NAT process when going from Inside to Outside interfaces via the VPN tunnel nat (inside) 1 0.0.0.0 0.0.0.0 0 0 Else, This command will setup the necessary NAT/PAT on the outside interface so you can properly route via the Internet.

Regards

Reply to
jrguent

Hello,

Stated another way, you may need rules applied inbound on the inside interface ("access-group inside_access_in in interface inside", PDM would add this command by default).

example rule would be

access-list inside_access_in extended permit tcp 192.168.101.0

255.255.255.0 any eq http

for web browsing.

Without these rules, this may be why there is no Internet access without the VPN tunnel being up.

yes you would need both of these NAT commands, else your current vpn would not work without changing definition of tunneled traffic (cryptomap ACLs)

nat (inside) 0 access-list 102 This command allows VPN tunneled traffic to bypass the NAT process when going from Inside to Outside interfaces via the VPN tunnel nat (inside) 1 0.0.0.0 0.0.0.0 0 0 Else, This command will setup the necessary NAT/PAT on the outside interface so you can properly route via the Internet.

Regards

Reply to
Rob

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.