Lose internet access when vpn enabled cisco 501

Hello
I have two vpn one at home and the other at my office. Both setup with
internet access. NAT enabled on both.
When I use the VPN wizard with the pdm gui to setup a end to end vpn
connection, I lose my access out the the internet. Tunnel works fine
though. If I kill the vpn, I get my internet back.
Can the pix 501 do both? If so any help on this?
Reply to
cdoc
Loading thread data ...
Yes, the 501 has no problem with that.
Check to see how you have configured the VPN. If you have configured it as a vpngroup then you need to configure 'split-tunnel'. If you have configured it as a lan-to-lan VPN then it's just a matter of ensuring that the access-list named in your crypto map match address statement is restricted to only the addresses you want to go through the VPN.
Reply to
Walter Roberson
Thanks Walter If I post my config here tomorrow will you give it a look? Thanks
Walter Robers> >> Hello
Reply to
cdoc
Yes, if I have time.
Reply to
Walter Roberson
Walter Here is my config. Can you give me some guidance on this. I really appreciate the help.
Walter Robers> >> Thanks Walter
Reply to
cdoc
access-list inside_outbound_nat0_acl permit ip any any access-list outside_cryptomap_20 permit ip any any
Both of these lines are bad. The first line is telling it not to NAT anything. This alone breaks your internet connection. It should be specifying source and destination networks of the VPN tunnel.
Second line is essentialy telling it to send everything in to the VPN tunnel. Like above it should only have your source and destination networks in there.
99.999% of the time these 2 lists should be identical when only using 1 tunnel. When using more than 1 tunnel the Nat0 list should be equal to all all the crypto match lists.
Another thing you have in your config which is a huge security risk in the permit tcp any any statement on your outside ACL. Where you do not have any statics, there is really no need for the outside ACL.
-Brian
Reply to
Brian V
Thanks Brian If my lan subnet on this side is 192.168.5.0 and the remote lan is 192.168.100.0 what should the syntax on these two entries be? Thanks again for your help.
Brian V wrote:
Reply to
cdoc
PS I indeed only have one vpn connection.
cdoc wrote:
Reply to
cdoc
Should it be
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
cdoc wrote:
Reply to
cdoc
If internal is 192.168.5.X and the remote is 192.168.1.X use: access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
If internal is 192.168.5.X and the remote is 192.168.100.X use: access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
Reply to
Brian V
Brian The internal is 192.168.5.0 and the remote outside is 64.*.*.* and the remote internal is 192.168.100.0
Can I assume that the syntax is
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
I really appreciate this help BTW
Brian V wrote:
Reply to
cdoc
Yes, that is correct.
Reply to
Brian V
Thanks Brian, that did it. I appreciate you taking your time to help me.
Brian V wrote:
Reply to
cdoc
Very welcome.
Reply to
Brian V

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.