PIX Remote Access VPN with Cisco VPN Client

Unanswered Question
Mar 26th, 2007
User Badges:

I've setup a remote access VPN and everything seems to connect just fine, and I receive an IP address from the address pool, however, I cannot access ANY resources on the network. The only thing I can ping is myself.


Also, I'm not getting a default gateway on the VPN adapter once I connect to the VPN. A gateway shouldn't be needed, as I'm trying to access resources in the same subnet as the ip pool, but I should still be able to specify a gateway.


I've been reading on here that it assigns the lowest IP in the subnet of the IP pool, but can I specify a gateway instead?


Here is my relevant config..


ip local pool vpnpool 10.0.0.31-10.0.0.35 mask 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route inside x.x.x.x 255.255.255.224 10.0.0.27 1

sysopt connection permit-ipsec

service resetinbound

crypto ipsec transform-set ErieSet esp-3des esp-md5-hmac

crypto ipsec transform-set Tunnel-Set-Info esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ITVPNset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set ErieSet

crypto dynamic-map ITVPNmap 10 set transform-set ITVPNset

crypto map ErieMap 10 ipsec-isakmp dynamic dynmap

crypto map ErieMap client configuration address respond

crypto map ErieMap client authentication RADIUS

crypto map Eriemap 10 ipsec-isakmp dynamic ITVPNmap

crypto map Eriemap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup WestTownVPN address-pool vpnpool

vpngroup WestTownVPN dns-server 10.0.1.100 10.0.0.4

vpngroup WestTownVPN wins-server 10.0.0.4

vpngroup WestTownVPN default-domain mydomain.com

vpngroup WestTownVPN split-tunnel UserVPN

vpngroup WestTownVPN idle-time 1800

vpngroup WestTownVPN password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 20

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

terminal width 80


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rselmecz Tue, 03/27/2007 - 00:49
User Badges:

Hi,


What is in the UserVPN access-list?

This determines what should go through the tunnel from the client.

Also what is the exact routing and NAT 0 config?

Is there any ?


mfreijser Tue, 03/27/2007 - 03:51
User Badges:
  • Bronze, 100 points or more

You didn't exclude the traffic to the VPN Client from the NAT-process. It is also a best-practise to assign a different subnet for your VPN Clients rather than the same as your inside-network.


You need to add the following commands to your configuration:


access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

nat (inside) 0 access-list nonat


Please rate if the post helps!


Regards,


Michael



Actions

This Discussion