VPN traffice not going outside Network

Answered Question
Nov 6th, 2007

I can connect to my VPN from home and access exchange, network shares, ect however, when I open up a webpage or do anything that needs and outside ip I cant get out. As soon as I disconnect VPN client web pages work great. Any suggestions?

Cisco PIX Firewall Version 6.3(3)

Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz

thanks in advance.....Mike

Correct Answer by acomiskey about 9 years 3 months ago

I would try using a different acl for your split tunnel, it's always good practice to separate your acls.

vpngroup touavpn split-tunnel 102

access-list 102 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.101.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.14.0 255.255.255.0 10.10.15.0 255.255.255.0

I would also get rid of this as you don't need it...

no access-list 101 permit ip 10.10.15.0 255.255.255.0 10.10.12.0 255.255.255.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Tue, 11/06/2007 - 12:46

Mike,

You will have to set up split tunneling on the pix.

access-list SPLIT-TUNNEL permit ip x.x.x.x y.y.y.y

vpngroup split-tunnel SPLIT-TUNNEL

x.x.x.x = your network inside pix which you want to tunnel to.

y.y.y.y = your vpn client subnet

Doing this will allow you to vpn to the network inside the pix, but all other traffic will not be part of the vpn.

carbonscoring Wed, 11/07/2007 - 07:57

Hi, I think I already have these statements in my config:

access-list 101 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0

vpngroup touavpn split-tunnel 101

These were taken from the startup-config

10.10.12.0 inside address and 10.10.15.0 our VPN address.

Another thing that I noticed when I was connected from home was:

ip address - 10.10.15.2

subnet mask - 255.0.0.0

default gateway - 10.10.15.2

seems to me that the default gateway shouldn't be the same as my IP address.

Our VPN worked fine. One of out engineers had moved this config file from another PIX. The old PIX was a 515E and this current one is a 515. We used the same config and everything has been ok with the exception of VPN.

thanks - mike

acomiskey Wed, 11/07/2007 - 08:07

mike,

The ip addresses you noticed when connected from home are normal.

Do you want to post a sanitized config?

Correct Answer
acomiskey Wed, 11/07/2007 - 09:16

I would try using a different acl for your split tunnel, it's always good practice to separate your acls.

vpngroup touavpn split-tunnel 102

access-list 102 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.101.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.14.0 255.255.255.0 10.10.15.0 255.255.255.0

I would also get rid of this as you don't need it...

no access-list 101 permit ip 10.10.15.0 255.255.255.0 10.10.12.0 255.255.255.0

carbonscoring Wed, 11/07/2007 - 20:21

Added ACL's as recommended and changed split tunnel to 102 as recommend. Works great.

appreciate the help!

Mike

Actions

This Discussion