vpn client but no internal or internet access

zulqurnain · ‎03-12-2007

hello,

i have configured the client vpn on pix 515E and the user can connect successfully but they don't get any internal access to any servers also cannot browse internet.

my config as following.

ip address outside 213.2.3.4 255.255.255.240

ip address inside 172.20.4.60 255.255.0.0

access-list nonat permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list 120 permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0

ip local pool vpnclient 192.168.1.1-192.168.1.2

route inside 192.168.1.0 255.255.255.0 172.20.4.1 1

sysopt connection permit-ipsec

crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 30 set transform-set vpn

crypto map transam 1 ipsec-isakmp

crypto map transam interface outside

isakmp nat-traversal 20

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup sec address-pool isnetvpn

vpngroup sec dns-server 172.20.1.10

vpngroup sec wins-server 172.20.1.10

vpngroup sec default-domain xyz.com

vpngroup sec split-tunnel 120

vpngroup sec idle-time 1800

vpngroup sec password ********

any help would be great

daviddtran · ‎03-12-2007

I think you need this:

nat (inside) 0 access-list nonat

access-list split permit ip 192.168.1.0 255.255.255.254 any

vpngroup sec split-tunnel split

David

zulqurnain · ‎03-12-2007

hello,

actually i already have nat (inside) 0 access-list nonat

i only forgot to paste in the post, secondly i tried with

access-list split permit ip 192.168.1.0 255.255.255.254 any

vpngroup sec split-tunnel split

but no luck, still the same.

acomiskey · ‎03-12-2007

What's this route for? That would include your vpn pool.

route inside 192.168.1.0 255.255.255.0 172.20.4.1 1

and shouldnt the split acl be

access-list split permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0

zulqurnain · ‎03-12-2007

the route is for the pix to know that it's local to it. actually it did'nt worked so i removed it

and yes the split is as what are have written but still no luck..

access-list split-vpn permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0

i cannot understand the connection works fine and even on pix i see tunnel is created and both phases are completed in syslog .. still i can't access anything inside once connected must be something i am missing.

any help would be really apperciated

acomiskey · ‎03-12-2007

Your vpn client pool name does not match what you have in your vpngroup

ip local pool vpnclient 192.168.1.1-192.168.1.2

vpngroup sec address-pool isnetvpn

should be....

ip local pool isnetvpn 192.168.1.1-192.168.1.2

vpngroup sec address-pool isnetvpn

zulqurnain · ‎03-12-2007

hello,

sorry that was the typo mistake while writing on the forum... that is what is should be. both are the same

acomiskey · ‎03-12-2007

Could you just post config then?

zulqurnain · ‎03-12-2007

hello

config is attached.

acomiskey · ‎03-13-2007

these are not correct...the source is wrong, should be your inside network which you would like to cross the tunnel.

access-list nonat permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0

access-list split-vpn permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0