VPN Connects but cannot access anything

peada04 · ‎06-24-2008

Hi,

Been struggling with this for over a week now, using some of the forum posts and docs to resolve - getting close...so any help is much appreciated.

I'm using a PIX 501 to provide vpn access to my internal network. I've gotten the configuration to the point where I can connect to the VPN from the Internet but once I do so I cannot rdp, map a drive, etc. to any servers. I can ping the outside interface of the pix when connected via VPN, but that's it.

The configuration is:

Internet --> dlink dir-625 (forwarding to pix, inside ip is 10.1.1.1) --> pix (outside is 10.1.1.150, inside is 192.168.1.1)

When I have a device plugged into the pix directly it gets a 192.168.1.x address and can access everything on 10.1.1.x fine. I don't see anything that idicates errors in the pdm log or in the ipsec logging that I enabled - I used to get "no route from x to y" but I don't see them anymore with the current config which is attached. Thanks for any tips!

jdlampard · ‎06-25-2008

Looks like you're missing an ACL for traffic that should not be NATed and an associated NAT statement such as.....

nat (inside) 0 access-list nonat

Also, you'll need an ACL to define interesting traffic--the traffic that needs encrypted.

Then these need applied accordingly in your crypto and vpngroup statements.

Hope this helps,

JD

peada04 · ‎06-26-2008

Thanks for your reply!

I *think* I have those statements in there:

This is my acl:

access-list 101 permit ip any 192.168.2.0 255.255.255.0

This is the nat statement:

nat (inside) 0 access-list 101

I've checked the command reference and don't see where the acl 101 should be directly referenced in a crypto statement. And the vpngroup statements only reference the acl for the split tunnel line (I've changed that to reference acl 101 - it was 102 in what I posted). Sorry to be so dense but it seems like these statements are in there...Thanks.