VPN traffice not going outside Network

Answered Question
Nov 6th, 2007
User Badges:

I can connect to my VPN from home and access exchange, network shares, ect however, when I open up a webpage or do anything that needs and outside ip I cant get out. As soon as I disconnect VPN client web pages work great. Any suggestions?


Cisco PIX Firewall Version 6.3(3)

Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz


thanks in advance.....Mike





Correct Answer by acomiskey about 9 years 7 months ago

I would try using a different acl for your split tunnel, it's always good practice to separate your acls.


vpngroup touavpn split-tunnel 102


access-list 102 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.101.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.14.0 255.255.255.0 10.10.15.0 255.255.255.0


I would also get rid of this as you don't need it...


no access-list 101 permit ip 10.10.15.0 255.255.255.0 10.10.12.0 255.255.255.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Tue, 11/06/2007 - 12:46
User Badges:
  • Green, 3000 points or more

Mike,


You will have to set up split tunneling on the pix.


access-list SPLIT-TUNNEL permit ip x.x.x.x y.y.y.y

vpngroup split-tunnel SPLIT-TUNNEL


x.x.x.x = your network inside pix which you want to tunnel to.

y.y.y.y = your vpn client subnet


Doing this will allow you to vpn to the network inside the pix, but all other traffic will not be part of the vpn.


carbonscoring Wed, 11/07/2007 - 07:57
User Badges:

Hi, I think I already have these statements in my config:


access-list 101 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0


vpngroup touavpn split-tunnel 101


These were taken from the startup-config

10.10.12.0 inside address and 10.10.15.0 our VPN address.


Another thing that I noticed when I was connected from home was:

ip address - 10.10.15.2

subnet mask - 255.0.0.0

default gateway - 10.10.15.2


seems to me that the default gateway shouldn't be the same as my IP address.


Our VPN worked fine. One of out engineers had moved this config file from another PIX. The old PIX was a 515E and this current one is a 515. We used the same config and everything has been ok with the exception of VPN.


thanks - mike

acomiskey Wed, 11/07/2007 - 08:07
User Badges:
  • Green, 3000 points or more

mike,


The ip addresses you noticed when connected from home are normal.


Do you want to post a sanitized config?

Correct Answer
acomiskey Wed, 11/07/2007 - 09:16
User Badges:
  • Green, 3000 points or more

I would try using a different acl for your split tunnel, it's always good practice to separate your acls.


vpngroup touavpn split-tunnel 102


access-list 102 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.101.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.14.0 255.255.255.0 10.10.15.0 255.255.255.0


I would also get rid of this as you don't need it...


no access-list 101 permit ip 10.10.15.0 255.255.255.0 10.10.12.0 255.255.255.0

carbonscoring Wed, 11/07/2007 - 20:21
User Badges:

Added ACL's as recommended and changed split tunnel to 102 as recommend. Works great.


appreciate the help!


Mike

Actions

This Discussion