Remote access problem

hi all, ive recently setup a pix 506e to be one side of a ipsec site to site vpn. Now i need to setup a remote access client as far ive entered the config for this and the client can connect to the pix and access resources but the client cannot access the internet i think this might be down to a nat problem

here is my config

a.a.a.a - is the outside ip address

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password iXGnkrxxxxxxxx encrypted passwd 2KFQxxxxxxx encrypted hostname crayford domain-name dh2 fixup protocol dns maximum-length 1024 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in permit tcp any eq www any eq www access-list outside_access_in permit tcp any any eq smtp access-list outside_access_in permit icmp any any access-list outside_access_in permit udp host x.x.x.x host a.a.a.a eq isakmp access-list outside_access_in permit tcp any eq domain any eq domain access-list inside_outbound_nat0_acl permit ip 10.35.104.0

255.255.255.0 192.168 .1.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any 10.35.104.176 255.255.255.240

access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0

192.168.1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.35.104.0 255.255.255.0 access-list outside_cryptomap_20 permit icmp 10.35.104.0 255.255.255.0 192.168.1 .0 255.255.255.0 access-list outside_cryptomap_dyn_20 permit ip any 10.35.104.176 255.255.255.240

pager lines 24 logging on logging timestamp logging trap debugging logging host inside 10.35.104.162 mtu outside 1500 mtu inside 1500 ip address outside a.a.a.a 255.255.255.240 ip address inside 10.35.104.100 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool remote 10.35.104.180-10.35.104.184 pdm location 192.168.1.0 255.255.255.0 outside pdm location 10.35.104.162 255.255.255.255 inside pdm location 10.35.104.0 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface smtp 10.35.104.106 smtp netmask

255.255.25 5.255 0 0 static (inside,outside) tcp interface www 10.35.104.106 www netmask 255.255.255. 255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.35.104.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer x.x.x.x crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-co nfig-mode isakmp identity address isakmp nat-traversal 3600 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup dh2remote address-pool remote vpngroup dh2remote dns-server 194.72.6.57 10.35.104.106 vpngroup dh2remote wins-server 10.35.104.106 vpngroup dh2remote default-domain dh2.co.uk vpngroup dh2remote idle-time 1800 vpngroup dh2remote password ******** telnet timeout 5 console timeout 0 dhcpd address 10.35.104.170-10.35.104.185 inside dhcpd dns 10.35.104.106 194.72.6.57 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 : end

thanks

Alex

Reply to
Alex
Loading thread data ...

You need to add a split-tunnel list in your VPN group . This will tell the client what traffic to include in the tunnel. This way the traffic between the client address and your inside addresses will be encrypted and all other traffic will go through the client normal internet access. At this time everything goes through the tunnel and the PIX cannot reroute it on the net.

***First create a list for your inside-to-local pool traffic *** (since i don't remember if you have to specify the inside-localpool or the localpool-inside traffic in the list , you can put your whole inside subnet on both sides and it should work since the pool is part of it anyway) access-list dh2split permit ip 10.35.104.0 255.255.255.0 10.35.104.0 255.255.255.0

***Add the split-tunnel statement in your vpngroup*** vpngroup dh2remote split-tunnel dh2split

Reply to
mcaissie

hi, thats done the trick

thanks

Alex

Reply to
Alex

hi, thats done the trick

thanks

Alex

Reply to
Alex

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.