1. Home
  2. Cisco Systems
  3. cisco pix VPN

cisco pix VPN

I have a PIX 506e running in our office to allow remote users to connect using the Cisco software VPN client. Users need to be able to see machines in the office and in the ideal world have internet access through this VPN (though that is not vital). What is odd is that if a user connects in remotely and I am in the office, I can ping their machine fine, however they cannot ping back the other way. A remote user directly on the internet can connect in fine and pings can go either way, however a remote user on a nat'd connection (using

192.168.0.XX) can establish the vpn connection, but can't ping or connect to anything in the office. (though, again I can still see them from within the office)

Below are the relevant bits from the config. I can only assume it is something to do with them being nat'd. Any thoughts?

office runs on 192.168.50.xx, but has one machine running on

192.168.0.110, which it would be nice to get to if possible.

cheers

Paul

access-list NO-NAT permit ip 192.168.50.0 255.255.255.0 192.168.51.0

255.255.255.0 access-list FromREMOTE permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0 access-list FromREMOTE permit ip 192.168.1.0 255.255.255.0 192.168.51.0 255.255.255.0 access-list FromREMOTE permit ip host 192.168.0.110 192.168.50.0 255.255.255.0

nat (inside) 0 access-list NO-NAT nat (inside) 1 192.168.50.0 255.255.255.0 0 0 ip local pool VPN 192.168.51.1-192.168.51.20

vpngroup ***** address-pool VPN vpngroup ***** dns-server 212.135.1.36 vpngroup ***** split-tunnel FromREMOTE vpngroup ***** idle-time 1800 vpngroup ***** password ********

Reply to
paulscullion
Loading thread data ...

you use the FromREMOTE ACL for tunnelsplit.... dont besides it contains bogus, and the statement also should be in nonat ACL Get rid of it for starters and maybe setup a proxy server that the clients can use for internet access via the Cisco Client VPN.

You have not posted half you VPN config, but from what you say, you need to add the PIXOS 6.3 command: isakmp nat-t to your config

HTH Martin Bilgrav

>
Reply to
Martin Bilgrav

Sorry didn't put the rest of the conf in. It is below. nat-t was in there.

sysopt connection permit-ipsec crypto ipsec transform-set REMOTE esp-aes esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set REMOTE crypto map remote_map 20 ipsec-isakmp dynamic dynmap crypto map remote_map interface outside isakmp enable outside isakmp identity address isakmp client configuration address-pool local VPN outside isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 68400

I took the split-tunnel command and when VPN'd in, the remote user now gets the IP address of 192.168.51.1 and a gateway of 192.168.51.1. Surely this means that the remote user's machine does not know a route out if the address it it trying to get to is outside of it's own subnet? With split-tunneling on the remote machine doesn't get a gateway at all.

I can live without having internet access through this - a niciety rather than a requirement.

Many thanks for your help

Paul

Reply to
paulscullion

I have this running several places, so the feature does work ...

Try:

Have ONLY these lines in your VPN ACLs: access-list NO-NAT permit ip 192.168.50.0 255.255.255.0 192.168.51.0

255.255.255.0 access-list FromREMOTE permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

remove this : isakmp client configuration address-pool local VPN outside ( no isakmp client configuration address-pool local VPN outside ) Add this: vpngroup ***** default-domain "YOURDOMAIN.COM" Execute this: (config)# clear crypto ipsec sa

Check the VPN client: 'modify' - [Transport] - Check "Allow local LAN access" Connect the client. verify in the VPN client, by hotkey CRTL+S, under [Route Details] - "secured routes", whats in there (should read 192.168.50.0 255.255.255.0 in the right panel and empty in the left panel)

What version on the VPN Client do you use ?

HTH Martin

Reply to
Martin Bilgrav

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.