Can't access outside or internet once connected

Unanswered Question
Jun 5th, 2008

I have pix 525 with 8.03 ios and adsm 6 installed.

remote vpn configured fine, cisco vpn client installed fine.

but after the connection, I can't access any hosts outside of 10.0.0.x(inside) subnet.

I can't even ping my outside NIC


attached is my config.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
msubtain Thu, 06/05/2008 - 19:37

I can not access your config for some reason, can you post it here?

check few things, have you enabled split tunneling? if yes have you defined network list?

dkim777oig Fri, 06/06/2008 - 05:19

sorry, somehow expiration date was the same date as post date.


PIX Version 8.0(3)


hostname was-pix

domain-name home

enable password xxx



interface Ethernet0

nameif outside

security-level 0

ip address


interface Ethernet1

nameif inside

security-level 100

ip address


interface Ethernet2


no nameif

no security-level

no ip address


passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name home

access-list outside_access_in extended permit ip any any

access-list outside_access_in_1 extended permit ip host any

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool vpn-pool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

no asdm history enable

arp timeout 14400


global (outside) 101 interface

nat (inside) 101

access-group outside_access_in_1 in interface outside control-plane

access-group inside_access_in in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http inside

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh outside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics

ntp server source outside

group-policy vpn-group internal

group-policy vpn-group attributes

dns-server value

vpn-tunnel-protocol IPSec

default-domain value home

username user1 password xxx encrypted privilege 0

username user1 attributes

vpn-group-policy vpn-group

tunnel-group vpn-group type remote-access

tunnel-group vpn-group general-attributes

address-pool vpn-pool

default-group-policy vpn-group

tunnel-group vpn-group ipsec-attributes

pre-shared-key *



prompt hostname context


: end

dkim777oig Fri, 06/06/2008 - 06:48

Well, I want ALL traffic(including internet) to go through VPN, therefore I haven't enabled split tunnel.

Is there any other way?



This Discussion