01-15-2008 08:20 PM - edited 03-11-2019 04:48 AM
Hi all,
I got one pix firewall at my office but the problem is I can access other resources at my office except for internet connection when I remote VPN from Home. Any problem with my pix config?? (Config as attached). Really need kind advice. Tq
01-15-2008 08:26 PM
01-16-2008 02:55 AM
Hi,
I see two things.
First your NAT exempt access-list could be just:
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
You don't need the deny statements if they are being denied after this entry. But still it would not be a reason for not working.
The problem is that you are using this same access-liat for your split tunneling and the access-list should be something like...
access-list remote_access_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
(because 192.168.2.0 is your inside LAN)
Check out this configuration example which might help you understand:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2
HTH,
Paulo
01-17-2008 01:50 AM
Hi Paulo,
I already tested but not works. By the way, I issue a command "sh crypto isakmp sa", theres no IPsec session established. Is that possible?? I really not sure. And when I check "ipconfig" at my laptop, I got similar IP address and default gateway, for example 192.168.3.1 for both IP address. Is there possible problem?? Really need your advice. Thank you.
01-17-2008 02:57 AM
Hi,
Can you put the configuration here again so I can see what you changed?
If you do "ipconfig" on your laptop after logging into the VPN you should see two different subnets (if the split-tunneling is correctly configured): the one your router gives you for the Internet, and the one you configure for the VPN.
Rgds,
Paulo
01-17-2008 06:58 PM
Hi Paulo,
Please refer as attached configuration. For your information,for VPN client IP, when I issue "ipconfig", my laptop IP address is 192.168.3.1 and the default gateway also 192.168.3.1, is this ok?? Thanks so much for your continuous support. I really appreciate it. Thank you.
01-18-2008 06:48 AM
Hi,
I was just comparing it to my configs and I am not seeing anything wrong to be honest.
Can you try just putting the NAT exempt as the following line, instead of having all the deny statements there?
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
With which group are you trying? Tekmal1?
Regards,
Paulo Henriques
01-18-2008 10:51 AM
Hi Paulo Henriques,
Yes, Tekma1. By the way, is there any effect if I remove "pdm location"?? What is this command actual role?? Looks crowded. One more thing, is that possible to increase the internet connection speed on firewall configuration?? Any approach to follow to configure firewall to avoid slowness to the internet connection??I will try to test again then as advice and I ll definitely update you. Thanks so much!!
its me,
aans
01-22-2008 03:20 AM
Hi Paulo,
Yes!! Its works...but why the internet connection quite slow...hope you can advise. Thanks so much!!
01-22-2008 03:31 AM
Hey,
I'm glad it's working now.
I see no reason for the VPN to affect the speed of the Internet connection. Check your "ipconfig" to see what IP addresses you have. Also, check the "route print" to see if the route table on your PC has the right routes.
You should also do some traceroutes to the Internet and to your internal LAN and see if you can see any problem there.
Hope it helps. Also, if you find any of my help useful can you please rate it?
Regards,
Paulo
01-22-2008 03:36 AM
Hi Paulo,
By the way, ss that ok if I remove all the "pdm location" command??? Any effects?? Thanks.
its me again,
aans
01-22-2008 03:58 AM
Hi Aans,
The "pdm location command" is added in by the PDM so if you remove them the next time you access PDM it will just be added in again.
Just let it be ;).
Regards,
Paulo
01-25-2008 02:34 AM
Hi Paulo,
Actually, I able to access to some website example, www.msn.com, google.com but having problem to open page for yahoo.com, cnn.com. The error is the "page cant open". What should i do??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide