Hello,
this is what we would like to achieve:
Road-Warrior Pix LAN
Road-Warrior uses Cisco's VPN client. All traffic from Road-Warrior should pass through the inside interface of the Pix towards the LAN, no matter whether it is directed to our LAN or towards the Internet. Traffic arriving on the inside interface directed to the "address pool" IP address of Road-Warrior should of course go back through the outside interface into the VPN tunnel.
The following is the relevant part of the config. The tunnel is established, the user authenticated, Road-Warrior gets the proper IP address from the pool but is unable to reach anything on the LAN or further on.
interface Ethernet0 nameif outside security-level 0 ip address 195.37.33.1 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.38 255.255.255.0 ! access-list aclinside extended permit ip any host 10.1.5.79 access-list testlist extended permit ip any any ip local pool adpool 10.1.5.79 mask 255.255.0.0 nat-control nat (inside) 0 access-list aclinside route outside 0.0.0.0 0.0.0.0 195.37.33.254 1 route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled aaa-server RADIUS protocol radius aaa-server RADIUS host 192.129.30.6 timeout 5 key xxxxxx group-policy mpivpn internal group-policy mpivpn attributes banner value Welcome to MPIIB-VPN vpn-idle-timeout 30 default-domain value immunbio.mpg.de user-authentication enable client-access-rule none crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address testlist crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 20 set reverse-route crypto map outside_map 20 match address testlist crypto map outside_map 20 set transform-set ESP-3DES-MD5 ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash md5 isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 tunnel-group DefaultRAGroup type ipsec-ra tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside) RADIUS tunnel-group mpivpn type ipsec-ra tunnel-group mpivpn general-attributes address-pool adpool authentication-server-group (outside) RADIUS default-group-policy mpivpn tunnel-group mpivpn ipsec-attributes pre-shared-key defcon13 authorization-required tunnel-group authentication type ipsec-ra tunnel-group authentication general-attributes authentication-server-group (outside) RADIUS default-group-policy authentication ! : end
What is wrong here?
Regards, Christoph Gartmann