Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
2
Replies

PIX Remote Access VPN with Cisco VPN Client

davidbornack
Level 1
Level 1

‎03-26-2007 02:10 PM - edited ‎02-21-2020 02:56 PM

I've setup a remote access VPN and everything seems to connect just fine, and I receive an IP address from the address pool, however, I cannot access ANY resources on the network. The only thing I can ping is myself.

Also, I'm not getting a default gateway on the VPN adapter once I connect to the VPN. A gateway shouldn't be needed, as I'm trying to access resources in the same subnet as the ip pool, but I should still be able to specify a gateway.

I've been reading on here that it assigns the lowest IP in the subnet of the IP pool, but can I specify a gateway instead?

Here is my relevant config..

ip local pool vpnpool 10.0.0.31-10.0.0.35 mask 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route inside x.x.x.x 255.255.255.224 10.0.0.27 1

sysopt connection permit-ipsec

service resetinbound

crypto ipsec transform-set ErieSet esp-3des esp-md5-hmac

crypto ipsec transform-set Tunnel-Set-Info esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ITVPNset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set ErieSet

crypto dynamic-map ITVPNmap 10 set transform-set ITVPNset

crypto map ErieMap 10 ipsec-isakmp dynamic dynmap

crypto map ErieMap client configuration address respond

crypto map ErieMap client authentication RADIUS

crypto map Eriemap 10 ipsec-isakmp dynamic ITVPNmap

crypto map Eriemap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup WestTownVPN address-pool vpnpool

vpngroup WestTownVPN dns-server 10.0.1.100 10.0.0.4

vpngroup WestTownVPN wins-server 10.0.0.4

vpngroup WestTownVPN default-domain mydomain.com

vpngroup WestTownVPN split-tunnel UserVPN

vpngroup WestTownVPN idle-time 1800

vpngroup WestTownVPN password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 20

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

terminal width 80

Labels:
0 Helpful
2 Replies 2

rselmecz
Level 1
Level 1

‎03-27-2007 12:49 AM

Hi,

What is in the UserVPN access-list?

This determines what should go through the tunnel from the client.

Also what is the exact routing and NAT 0 config?

Is there any ?

0 Helpful

mfreijser
Level 1
Level 1

‎03-27-2007 03:51 AM

You didn't exclude the traffic to the VPN Client from the NAT-process. It is also a best-practise to assign a different subnet for your VPN Clients rather than the same as your inside-network.

You need to add the following commands to your configuration:

access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

nat (inside) 0 access-list nonat

Please rate if the post helps!

Regards,

Michael

0 Helpful
Customers Also Viewed These Support Documents