03-12-2007 02:53 AM - edited 03-11-2019 02:44 AM
hello,
i have configured the client vpn on pix 515E and the user can connect successfully but they don't get any internal access to any servers also cannot browse internet.
my config as following.
ip address outside 213.2.3.4 255.255.255.240
ip address inside 172.20.4.60 255.255.0.0
access-list nonat permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0
ip local pool vpnclient 192.168.1.1-192.168.1.2
route inside 192.168.1.0 255.255.255.0 172.20.4.1 1
sysopt connection permit-ipsec
crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set vpn
crypto map transam 1 ipsec-isakmp
crypto map transam interface outside
isakmp nat-traversal 20
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup sec address-pool isnetvpn
vpngroup sec dns-server 172.20.1.10
vpngroup sec wins-server 172.20.1.10
vpngroup sec default-domain xyz.com
vpngroup sec split-tunnel 120
vpngroup sec idle-time 1800
vpngroup sec password ********
any help would be great
03-12-2007 05:06 AM
I think you need this:
nat (inside) 0 access-list nonat
access-list split permit ip 192.168.1.0 255.255.255.254 any
vpngroup sec split-tunnel split
David
03-12-2007 05:46 AM
hello,
actually i already have nat (inside) 0 access-list nonat
i only forgot to paste in the post, secondly i tried with
access-list split permit ip 192.168.1.0 255.255.255.254 any
vpngroup sec split-tunnel split
but no luck, still the same.
03-12-2007 06:14 AM
What's this route for? That would include your vpn pool.
route inside 192.168.1.0 255.255.255.0 172.20.4.1 1
and shouldnt the split acl be
access-list split permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0
03-12-2007 06:49 AM
the route is for the pix to know that it's local to it. actually it did'nt worked so i removed it
and yes the split is as what are have written but still no luck..
access-list split-vpn permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0
i cannot understand the connection works fine and even on pix i see tunnel is created and both phases are completed in syslog .. still i can't access anything inside once connected must be something i am missing.
any help would be really apperciated
03-12-2007 07:00 AM
Your vpn client pool name does not match what you have in your vpngroup
ip local pool vpnclient 192.168.1.1-192.168.1.2
vpngroup sec address-pool isnetvpn
should be....
ip local pool isnetvpn 192.168.1.1-192.168.1.2
vpngroup sec address-pool isnetvpn
03-12-2007 07:29 AM
hello,
sorry that was the typo mistake while writing on the forum... that is what is should be. both are the same
03-12-2007 07:45 AM
Could you just post config then?
03-12-2007 09:53 PM
03-13-2007 05:45 AM
these are not correct...the source is wrong, should be your inside network which you would like to cross the tunnel.
access-list nonat permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0
access-list split-vpn permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: