vpn client but no internal or internet access

Unanswered Question
Mar 12th, 2007
User Badges:
  • Bronze, 100 points or more

hello,


i have configured the client vpn on pix 515E and the user can connect successfully but they don't get any internal access to any servers also cannot browse internet.


my config as following.


ip address outside 213.2.3.4 255.255.255.240

ip address inside 172.20.4.60 255.255.0.0



access-list nonat permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list 120 permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0

ip local pool vpnclient 192.168.1.1-192.168.1.2


route inside 192.168.1.0 255.255.255.0 172.20.4.1 1


sysopt connection permit-ipsec

crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 30 set transform-set vpn

crypto map transam 1 ipsec-isakmp

crypto map transam interface outside


isakmp nat-traversal 20


isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup sec address-pool isnetvpn

vpngroup sec dns-server 172.20.1.10

vpngroup sec wins-server 172.20.1.10

vpngroup sec default-domain xyz.com

vpngroup sec split-tunnel 120

vpngroup sec idle-time 1800

vpngroup sec password ********



any help would be great

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
daviddtran Mon, 03/12/2007 - 05:06
User Badges:

I think you need this:


nat (inside) 0 access-list nonat

access-list split permit ip 192.168.1.0 255.255.255.254 any

vpngroup sec split-tunnel split


David

zulqurnain Mon, 03/12/2007 - 05:46
User Badges:
  • Bronze, 100 points or more

hello,


actually i already have nat (inside) 0 access-list nonat

i only forgot to paste in the post, secondly i tried with

access-list split permit ip 192.168.1.0 255.255.255.254 any

vpngroup sec split-tunnel split


but no luck, still the same.

acomiskey Mon, 03/12/2007 - 06:14
User Badges:
  • Green, 3000 points or more

What's this route for? That would include your vpn pool.


route inside 192.168.1.0 255.255.255.0 172.20.4.1 1


and shouldnt the split acl be


access-list split permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0

zulqurnain Mon, 03/12/2007 - 06:49
User Badges:
  • Bronze, 100 points or more

the route is for the pix to know that it's local to it. actually it did'nt worked so i removed it


and yes the split is as what are have written but still no luck..


access-list split-vpn permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0


i cannot understand the connection works fine and even on pix i see tunnel is created and both phases are completed in syslog .. still i can't access anything inside once connected must be something i am missing.


any help would be really apperciated

acomiskey Mon, 03/12/2007 - 07:00
User Badges:
  • Green, 3000 points or more

Your vpn client pool name does not match what you have in your vpngroup


ip local pool vpnclient 192.168.1.1-192.168.1.2

vpngroup sec address-pool isnetvpn


should be....


ip local pool isnetvpn 192.168.1.1-192.168.1.2

vpngroup sec address-pool isnetvpn

zulqurnain Mon, 03/12/2007 - 07:29
User Badges:
  • Bronze, 100 points or more

hello,


sorry that was the typo mistake while writing on the forum... that is what is should be. both are the same

acomiskey Mon, 03/12/2007 - 07:45
User Badges:
  • Green, 3000 points or more

Could you just post config then?

acomiskey Tue, 03/13/2007 - 05:45
User Badges:
  • Green, 3000 points or more

these are not correct...the source is wrong, should be your inside network which you would like to cross the tunnel.


access-list nonat permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0

access-list split-vpn permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0

Actions

This Discussion