PIX 506E and Internet Access via VPN

Hi

I configured PIX 506E as Cisco VPN Server but I've got only 50% success. VPN Clients connects successfully to the VPN Server. Access to intranet networks (intranet) works fine, but Internet access not. I only getting this message in syslog:

110001: No route to 198.133.219.25 from 192.168.254.1 110001: No route to 129.42.34.212 from 192.168.254.1

192.168.254.1 == VPN Client / User IP address

198.133.219.25, 129.42.34.212 == IP addresses to which user want connect

Any hints / recommendations about my issue ?

My PIX 506E configuration:

----------------------------------------------------------------------- .. ip address inside 10.0.33.1 255.255.255.0 .. access-list NONAT permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0 access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0 .. ip local pool VPNClient-Pool 192.168.254.1-192.168.254.254 .. global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 0 0 .. aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server RADIUS (outside) host 10.0.33.121 ******* timeout 10 .. sysopt connection permit-ipsec .. crypto ipsec transform-set VPNClient-TS esp-aes-256 esp-md5-hmac crypto dynamic-map VPNClient-DM 10 set transform-set VPNClient-TS crypto map VPN 10 ipsec-isakmp dynamic VPNClient-DM crypto map VPN client configuration address initiate crypto map VPN client configuration address respond crypto map VPN client authentication RADIUS crypto map VPN interface outside .. isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 .. vpngroup PIXVPN address-pool VPNClient-Pool vpngroup PIXVPN dns-server 10.0.33.3 10.0.33.4 vpngroup PIXVPN default-domain remotevpn.intranet vpngroup PIXVPN idle-time 1800 vpngroup PIXVPN password ********

-----------------------------------------------------------------------

Thanks for help Robert

Reply to
Robert Hass
Loading thread data ...

When the clients are attempting to access the internet, do you want that internet traffic to go directly from the client to the destination, or do you want that internet traffic to first go to you and you pass it on to the internet on behalf of the client?

If you want the traffic to go direct, then you need to use a vpngroup split-tunnel statement.

If you want the traffic to go to you and you pass it on, then your LAN router would need to support 802.1Q VLANs and you would have to split your public address space.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.