Hello I have two vpn one at home and the other at my office. Both setup with internet access. NAT enabled on both. When I use the VPN wizard with the pdm gui to setup a end to end vpn connection, I lose my access out the the internet. Tunnel works fine though. If I kill the vpn, I get my internet back. Can the pix 501 do both? If so any help on this?
Yes, the 501 has no problem with that.
Check to see how you have configured the VPN. If you have configured it as a vpngroup then you need to configure 'split-tunnel'. If you have configured it as a lan-to-lan VPN then it's just a matter of ensuring that the access-list named in your crypto map match address statement is restricted to only the addresses you want to go through the VPN.
Yes, if I have time.
Walter Here is my config. Can you give me some guidance on this. I really appreciate the help.
Walter Robers> >> Thanks Walter
access-list inside_outbound_nat0_acl permit ip any any access-list outside_cryptomap_20 permit ip any any
Both of these lines are bad. The first line is telling it not to NAT anything. This alone breaks your internet connection. It should be specifying source and destination networks of the VPN tunnel.
Second line is essentialy telling it to send everything in to the VPN tunnel. Like above it should only have your source and destination networks in there.
99.999% of the time these 2 lists should be identical when only using 1 tunnel. When using more than 1 tunnel the Nat0 list should be equal to all all the crypto match lists.Another thing you have in your config which is a huge security risk in the permit tcp any any statement on your outside ACL. Where you do not have any statics, there is really no need for the outside ACL.
-Brian
Thanks Brian If my lan subnet on this side is 192.168.5.0 and the remote lan is
192.168.100.0 what should the syntax >> Here is my config. Can you give me some guidance on this. I really
Should it be
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
192.168.5.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0cdoc wrote:
If internal is 192.168.5.X and the remote is 192.168.1.X use: access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
192.168.1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0If internal is 192.168.5.X and the remote is 192.168.100.X use: access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
192.168.100.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0Brian The internal is 192.168.5.0 and the remote outside is 64.*.*.* and the remote internal is 192.168.100.0
Can I assume that the syntax is
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
I really appreciate this help BTW
Brian V wrote:
Yes, that is correct.
Thanks Brian, that did it. I appreciate you taking your time to help me.
Brian V wrote:
Very welcome.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.