cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
320
Views
0
Helpful
2
Replies

PIX Remote Access VPN with Cisco VPN Client

davidbornack
Level 1
Level 1

I've setup a remote access VPN and everything seems to connect just fine, and I receive an IP address from the address pool, however, I cannot access ANY resources on the network. The only thing I can ping is myself.

Also, I'm not getting a default gateway on the VPN adapter once I connect to the VPN. A gateway shouldn't be needed, as I'm trying to access resources in the same subnet as the ip pool, but I should still be able to specify a gateway.

I've been reading on here that it assigns the lowest IP in the subnet of the IP pool, but can I specify a gateway instead?

Here is my relevant config..

ip local pool vpnpool 10.0.0.31-10.0.0.35 mask 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route inside x.x.x.x 255.255.255.224 10.0.0.27 1

sysopt connection permit-ipsec

service resetinbound

crypto ipsec transform-set ErieSet esp-3des esp-md5-hmac

crypto ipsec transform-set Tunnel-Set-Info esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ITVPNset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set ErieSet

crypto dynamic-map ITVPNmap 10 set transform-set ITVPNset

crypto map ErieMap 10 ipsec-isakmp dynamic dynmap

crypto map ErieMap client configuration address respond

crypto map ErieMap client authentication RADIUS

crypto map Eriemap 10 ipsec-isakmp dynamic ITVPNmap

crypto map Eriemap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup WestTownVPN address-pool vpnpool

vpngroup WestTownVPN dns-server 10.0.1.100 10.0.0.4

vpngroup WestTownVPN wins-server 10.0.0.4

vpngroup WestTownVPN default-domain mydomain.com

vpngroup WestTownVPN split-tunnel UserVPN

vpngroup WestTownVPN idle-time 1800

vpngroup WestTownVPN password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 20

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

terminal width 80

2 Replies 2

rselmecz
Level 1
Level 1

Hi,

What is in the UserVPN access-list?

This determines what should go through the tunnel from the client.

Also what is the exact routing and NAT 0 config?

Is there any ?

mfreijser
Level 1
Level 1

You didn't exclude the traffic to the VPN Client from the NAT-process. It is also a best-practise to assign a different subnet for your VPN Clients rather than the same as your inside-network.

You need to add the following commands to your configuration:

access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

nat (inside) 0 access-list nonat

Please rate if the post helps!

Regards,

Michael

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: