Hello I need a little help. I have a pix 501 at my house. I used the pdm vpn wizard to allow remote vpn access to my home lan. The only problem I am having is when I use the vpn dialer and make connection to my home, I lose internet access on the client side. The pix side can still access the internet. Any ideas? Thanks in advance!
See if this command helps:
Pix#config t Pix(config)#isakmp nat-traversal
Sincerely,
Brad Reese BradReese.Com - Cisco Power Supply Headquarters
You need to set up split-tunnel in your vpngroup on the PIX. It is possible to do that via PDM, but I don't recall how.
Take a look at this Configuring Cisco Secure PIX and VPN Client Doc:
isakmp nat-traversal
Perhaps you can post the config?
If you have a split tunneling problem.
The idea of split tunneling is that you use an ACL to define what should go down the VPN, then everything else goes onto the internet unencrypted.
So using "permit ip any any" as the split tunnel ACL is rather defeating the point of it.
More usual to be "permit ip [vpn_user_subnet] [office_subnets]".
Those that can help you can't be sure without seeing the CLI config.
With a nat-traversal problem a user can connect, send traffic down the tunnel, but gets nothing back when PIX drops it because the user peer IP does not match IP in the packet header.
------------------------
How to Configure the Cisco VPN Client to PIX with AES:
------------------------
Sample codes for configuring Remote VPN Access on a PIX:
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0
255.255.255.0 access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0nat (inside) 0 access-list 101
isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400
isakmp identity address isakmp nat-traversal 20
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
ip local pool ippool 10.1.1.11-10.1.1.21
vpngroup vpnclient address-pool ippool vpngroup vpnclient idle-time 1800 vpngroup vpnclient dns-server 139.130.4.4 vpngroup vpnclient password cisco456 vpngroup vpnclient split-tunnel 120
crypto dynamic-map dynmap 10 set transform-set vpnset crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap
username cisco password cisco123
aaa-server LOCAL protocol local crypto map remote_vpn client authentication LOCAL crypto map remote_vpn client configuration address initiate crypto map remote_vpn client configuration address respond
Regarding the VPN Client, just simply install it by following the instruction on screen, click "new":
"connection entry" a name for your reference "host" public ip of the pix 501 "name" vpnclient "password" cisco456
To initiate a tunnel, double click the entry you just created.
It will then prompt you for individual username and password ( it's cisco and cisco123 ).
------------------------
Sincerely,
Brad Reese Cisco Product Quick Reference Guides, CPQRG
I would indeed appreciate any help on config the split tunnel. I hope I can do this from the pdm, if so please give me some guidance. Once again, I appreciate your help.
Walter Robers> > >I need a little help. I have a pix 501 at my house. I used the pdm
Ummm, my usual guidance is "PDM is seldom worth using".
If you want to use the PDM wizard, on the last page of the setup wizard, you at the bottom there's a checkmark for Spil Tunneling
Julian
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.