vpn client conects but cannot access internal network

Unanswered Question
Mar 13th, 2007

hello,

i have configured the client vpn on pix 515E and the user can connect successfully but they don't get any internal access to any servers also cannot browse internet.

my config is attached

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kamal Malhotra Tue, 03/13/2007 - 06:15

Hi,

The access-list acl_inside does not have traffic permitted from inside to the pool range. Please get that corrected. As far as Internet access is concerned,we'll have to further look into it.

HTH,

Please rate if it helps,

Regards,

Kamal

zulqurnain Tue, 03/13/2007 - 22:07

hello kamal,

i tried by allowing even everything on the acl_inside yet same results.

oabduo983 Tue, 03/13/2007 - 11:27

Hi,

Make sure you have a route inside statment to the place where you want to reach. Also make sure you are connecting to the VPN without going through a NAT device (use NAT-Transparent feature to fix this problem, but before that see what happens if you connect to it throu a dialup connection as you will be getting into it without translation)...

Please rate if this helps

Osama Abduo

acomiskey Tue, 03/13/2007 - 11:43

these are not correct...the source is wrong, should be your inside network which you would like to cross the tunnel.

access-list nonat permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0

access-list split-vpn permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0

zulqurnain Tue, 03/13/2007 - 22:16

hello,

you mean it should be like

access-list nonat permit ip 192.168.1.0 255.255.255.0 1.2.3.4 255.255.0.0

acomiskey Wed, 03/14/2007 - 05:50

You want vpn clients to access inside servers. So you need to specify the correct nat exemption. You can do this by host or by subnet.

access-list nonat permit ip 192.168.1.0 255.255.255.252

or

access-list nonat permit ip host 192.168.1.0 255.255.255.252

zulqurnain Wed, 03/14/2007 - 14:32

hello,

with respect, if you look at my config this is what i had done

access-list nonat permit ip 1.2.3.4 255.255.0.0 192.168.1.0 255.255.255.0

so what's wrong now?

acomiskey Wed, 03/14/2007 - 15:22

Well, the source looked wrong, the mask doesn't match. Do you want 1.2.0.0 255.255.0.0 or do you want a single host, 1.2.3.4 255.255.255.255 ?

zulqurnain Wed, 03/14/2007 - 22:07

well it would be good if i allow the subnet 1.2.0.0 instead of single host.

i am running out of options here so please everyone, i need help.

zulqurnain Thu, 03/15/2007 - 01:31

when ever i connect vpn client i am receving this message on my syslog

# Generated by SysLog Monitor

# Version 8.0.19

# 3/15/2007 11:19:14 AM

#

# Syslog Monitor

Date/Time Hostname Priority Message

"3/15/2007 11:10" 1.2.4.230 Info "Jan 03 1993 23:27:43: %PIX-6-110001: No route to 192.168.1.255 from 192.168.1.1 "

"3/15/2007 11:10" 1.2.4.230 Info "Jan 03 1993 23:27:32: %PIX-6-110001: No route to 192.168.1.255 from 192.168.1.1 "

"3/15/2007 11:10" 1.2.4.230 Info "Jan 03 1993 23:27:22: %PIX-6-110001: No route to < outside gateway IP for PIX> from 192.168.1.1 "

even though i have added the route 192.168.1.0 255.255.255.255

also i read in one of the documents that it all has to do with the way the PIX processes traffic (i.e. it's order of operation). The most important thing to remember about the PIX is that one of the first things it attempts to do is NAT, even before it looks at the routing table. This message will typically appear if the PIX has a descrepancy between the NAT table and the routing table.

meaning configuration output has missing information about your NAT translations (globals, nats, statics). This is most likely the section of the configuration where the problems are. Yes, even though the logs say it's a routing problem, it's not. It is NAT.

so help would be really great

acomiskey Thu, 03/15/2007 - 06:12

My point is, you have this

1.2.3.4 255.255.0.0

It doesn't make sense and I'm surprised the pix even took it. The mask does not match! Not sure on your routing errors though. What is 192.168.1.1, your client ip?

zulqurnain Thu, 03/15/2007 - 06:32

yes its my client ip and as for 1.2.3.4 255.255.0.0 , let me tell you with respect that i changed my ip's as i was posting them to public.

acomiskey Thu, 03/15/2007 - 06:42

Ok, no harm done. So you do have something like 1.2.0.0 255.255.0.0

zulqurnain Fri, 03/16/2007 - 11:08

hello,

okay lets just imagine i have 1.2.0.0 255.255.0.0 in my network hope this will help you understnad my config more clarly

acomiskey Fri, 03/16/2007 - 11:17

If 192.168.1.0 is your vpn client subnet, you should not have route 192.168.1.0 255.255.255.255 , as you have stated you entered above.

oh, and not to be picky, but it's much harder to troubleshoot when you don't have all the right info. The mask doesn't match for this either 192.168.1.0 255.255.255.255.

Actions

This Discussion