06-05-2008 12:02 PM - edited 03-09-2019 08:51 PM
I have pix 525 with 8.03 ios and adsm 6 installed.
remote vpn configured fine, cisco vpn client installed fine.
but after the connection, I can't access any hosts outside of 10.0.0.x(inside) subnet.
I can't even ping my outside NIC 129.2.28.100
anyideas?
attached is my config.
06-05-2008 07:37 PM
I can not access your config for some reason, can you post it here?
check few things, have you enabled split tunneling? if yes have you defined network list?
06-06-2008 05:19 AM
sorry, somehow expiration date was the same date as post date.
-----------------------------------------
PIX Version 8.0(3)
!
hostname was-pix
domain-name home
enable password xxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 129.2.28.100 255.255.255.128
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd xxx
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name home
access-list outside_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip host 129.2.28.56 any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpn-pool 10.0.0.100-10.0.0.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
access-group outside_access_in_1 in interface outside control-plane
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 158.70.112.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 inside
http 129.2.28.56 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 129.2.28.56 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
ntp server 129.2.146.90 source outside
group-policy vpn-group internal
group-policy vpn-group attributes
dns-server value 129.2.146.90
vpn-tunnel-protocol IPSec
default-domain value home
username user1 password xxx encrypted privilege 0
username user1 attributes
vpn-group-policy vpn-group
tunnel-group vpn-group type remote-access
tunnel-group vpn-group general-attributes
address-pool vpn-pool
default-group-policy vpn-group
tunnel-group vpn-group ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:xxxx
: end
06-06-2008 06:09 AM
You have to configure split tunnel in order to access internet , outside etc. Following is the link to configure the same using CLI:
Rate the post if it helps.
Thanks
Saju
06-06-2008 06:48 AM
Well, I want ALL traffic(including internet) to go through VPN, therefore I haven't enabled split tunnel.
Is there any other way?
Thanks
06-06-2008 08:42 AM
By Design PIX/ASA does not rediredt traffic on same interface . Try enabling it by using command "same-security-traffic permit intra-interface"
See in following document :
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#topic2
Let me know if it works or not
06-06-2008 11:00 AM
Also check this link out . It may help you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide