Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
6
Replies

VPN traffice not going outside Network

Go to solution
carbonscoring
Level 1
Level 1

‎11-06-2007 12:36 PM - edited ‎02-21-2020 03:21 PM

I can connect to my VPN from home and access exchange, network shares, ect however, when I open up a webpage or do anything that needs and outside ip I cant get out. As soon as I disconnect VPN client web pages work great. Any suggestions?

Cisco PIX Firewall Version 6.3(3)

Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz

thanks in advance.....Mike

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to carbonscoring

‎11-07-2007 09:16 AM

I would try using a different acl for your split tunnel, it's always good practice to separate your acls.

vpngroup touavpn split-tunnel 102

access-list 102 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.101.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.14.0 255.255.255.0 10.10.15.0 255.255.255.0

I would also get rid of this as you don't need it...

no access-list 101 permit ip 10.10.15.0 255.255.255.0 10.10.12.0 255.255.255.0

View solution in original post

0 Helpful
6 Replies 6

Go to solution
acomiskey
Level 10
Level 10

‎11-06-2007 12:46 PM

Mike,

You will have to set up split tunneling on the pix.

access-list SPLIT-TUNNEL permit ip x.x.x.x y.y.y.y

vpngroup split-tunnel SPLIT-TUNNEL

x.x.x.x = your network inside pix which you want to tunnel to.

y.y.y.y = your vpn client subnet

Doing this will allow you to vpn to the network inside the pix, but all other traffic will not be part of the vpn.

0 Helpful

Go to solution
carbonscoring
Level 1
Level 1
In response to acomiskey

‎11-07-2007 07:57 AM

Hi, I think I already have these statements in my config:

access-list 101 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0

vpngroup touavpn split-tunnel 101

These were taken from the startup-config

10.10.12.0 inside address and 10.10.15.0 our VPN address.

Another thing that I noticed when I was connected from home was:

ip address - 10.10.15.2

subnet mask - 255.0.0.0

default gateway - 10.10.15.2

seems to me that the default gateway shouldn't be the same as my IP address.

Our VPN worked fine. One of out engineers had moved this config file from another PIX. The old PIX was a 515E and this current one is a 515. We used the same config and everything has been ok with the exception of VPN.

thanks - mike

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to carbonscoring

‎11-07-2007 08:07 AM

mike,

The ip addresses you noticed when connected from home are normal.

Do you want to post a sanitized config?

0 Helpful

Go to solution
carbonscoring
Level 1
Level 1
In response to acomiskey

‎11-07-2007 09:09 AM

heres the config thanks for you help..

mike

Preview file
8 KB
0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to carbonscoring

‎11-07-2007 09:16 AM

I would try using a different acl for your split tunnel, it's always good practice to separate your acls.

vpngroup touavpn split-tunnel 102

access-list 102 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.101.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.14.0 255.255.255.0 10.10.15.0 255.255.255.0

I would also get rid of this as you don't need it...

no access-list 101 permit ip 10.10.15.0 255.255.255.0 10.10.12.0 255.255.255.0

0 Helpful

Go to solution
carbonscoring
Level 1
Level 1
In response to acomiskey

‎11-07-2007 08:21 PM

Added ACL's as recommended and changed split tunnel to 102 as recommend. Works great.

appreciate the help!

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents