Re: PIX 520 VPN problem
- From: roberson@xxxxxxxxxxxxxxxxxx (Walter Roberson)
- Date: Fri, 23 Sep 2005 18:01:28 +0000 (UTC)
In article <1127325043.194069.129790@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
CIB3RGUY <atiq80@xxxxxxxxx> wrote:
:I'm using a PIX 520 (running IOS 6.2(2)) as the VPN gateway. Then on
:the client side I'm using the Cisco VPN client ver 3.2.6.
:I can connect through the Cisco VPN client to the firewall fine.
:From the internal network (192.168.0.x), I can connect to the network
:that is coming in through the Cisco VPN client (192.168.200.x). But
:that computer connecting through the client (192.168.200.x) cannot see
:the internal network (192.168.0.x) but it can connect to the internet.
The only way that the VPN clients would be able to see the internet
is if split-tunneling was enabled. PIX 6.2 won't accept IPSec packets
on the outside interface and route them to the outside interface, so
the internet packet must not be hitting the PIX at all.
>access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
>access-list split-tunnel permit ip 192.168.200.0 255.255.255.0 any
>access-list split-tunnel permit ip 192.168.0.0 255.255.255.0 any
>ip address inside 192.168.0.1 255.255.255.0
>ip local pool ippool 192.168.200.10-192.168.200.50
:nat (inside) 0 access-list 101
:nat (inside) 1 0.0.0.0 0.0.0.0 0 0
:sysopt connection permit-ipsec
:crypto dynamic-map dynamic 10 set transform-set myset
:crypto map mymap 10 ipsec-isakmp dynamic dynamic
:crypto map mymap interface outside
:vpngroup vpnpix address-pool ippool
:vpngroup vpnpix dns-server 192.168.0.2 192.168.0.1
:vpngroup vpnpix wins-server 192.168.0.2
:vpngroup vpnpix default-domain pix520.com
:vpngroup vpnpix idle-time 1800
:vpngroup vpnpix password ********
I think your VPN clients must be connecting through the vpngroup
you have configured, rather than through the crypto dynamic map.
Otherwise, the address-pool ippool wouldn't be having any effect.
Your vpngroup does not have a 'split-tunnel' statement, at least not
in what you posted, so your split-tunnel ACL isn't doing you any
good... but that also means that, contrary to my earlier paragraph,
that your clients are -not- getting to the internet through
a split-tunnel. Perhaps the split-tunnel statement got chopped from
the posted configuration, or perhaps your clients are not actually
connecting through the VPN at all, or perhaps your clients have
done some tricky work to override the efforts that Cisco goes to
to ensure that routings are only possible as configured at the firewall.
>access-list split-tunnel permit ip 192.168.200.0 255.255.255.0 any
>access-list split-tunnel permit ip 192.168.0.0 255.255.255.0 any
If that split-tunnel ACL is being activated, then it is incorrect.
The split-tunnel ACL should be read in terms of packets going out of
the PIX towards the VPN client. As you have allocated 192.168.200/24
to those clients, then 192.168.200/24 should be the -destination-
in the ACL.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
.
- References:
- PIX 520 VPN problem
- From: CIB3RGUY
- PIX 520 VPN problem
- Prev by Date: Re: VPN design
- Next by Date: Monitoring VPN users on PIX 515
- Previous by thread: Re: PIX 520 VPN problem
- Next by thread: Re: Native, and management vlan "Vlan 1"
- Index(es):
Relevant Pages
|
