Re: no internet when connected to pix with vpn client
- From: "www.BradReese.Com" <Reese@xxxxxxxxxxxxx>
- Date: 20 Aug 2006 16:21:03 -0700
Take a look at this Configuring Cisco Secure PIX and VPN Client Doc:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
The only command you need adding that is not in the document is:
isakmp nat-traversal
Perhaps you can post the config?
If you have a split tunneling problem.
The idea of split tunneling is that you use an ACL to define what
should go down the VPN, then everything else goes onto the internet
unencrypted.
So using "permit ip any any" as the split tunnel ACL is rather
defeating the point of it.
More usual to be "permit ip [vpn_user_subnet] [office_subnets]".
Those that can help you can't be sure without seeing the CLI config.
With a nat-traversal problem a user can connect, send traffic down the
tunnel, but gets nothing back when PIX drops it because the user peer
IP does not match IP in the packet header.
------------------------
How to Configure the Cisco VPN Client to PIX with AES:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml
Configuring VPN Client:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml#config-vpn
------------------------
Sample codes for configuring Remote VPN Access on a PIX:
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0
255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0
255.255.255.0
nat (inside) 0 access-list 101
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp identity address
isakmp nat-traversal 20
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
ip local pool ippool 10.1.1.11-10.1.1.21
vpngroup vpnclient address-pool ippool
vpngroup vpnclient idle-time 1800
vpngroup vpnclient dns-server 139.130.4.4
vpngroup vpnclient password cisco456
vpngroup vpnclient split-tunnel 120
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap
username cisco password cisco123
aaa-server LOCAL protocol local
crypto map remote_vpn client authentication LOCAL
crypto map remote_vpn client configuration address initiate
crypto map remote_vpn client configuration address respond
Regarding the VPN Client, just simply install it by following the
instruction on screen, click "new":
"connection entry" a name for your reference
"host" public ip of the pix 501
"name" vpnclient
"password" cisco456
To initiate a tunnel, double click the entry you just created.
It will then prompt you for individual username and password ( it's
cisco and cisco123 ).
------------------------
Sincerely,
Brad Reese
Cisco Product Quick Reference Guides, CPQRG
http://www.bradreese.com/refurbished-cisco-product-guide.htm
.
- References:
- no internet when connected to pix with vpn client
- From: jawdoc
- Re: no internet when connected to pix with vpn client
- From: www.BradReese.Com
- Re: no internet when connected to pix with vpn client
- From: jawdoc
- no internet when connected to pix with vpn client
- Prev by Date: Re: no internet when connected to pix with vpn client
- Next by Date: Re: no internet when connected to pix with vpn client
- Previous by thread: Re: no internet when connected to pix with vpn client
- Next by thread: Re: no internet when connected to pix with vpn client
- Index(es):
Relevant Pages
|
