10-27-2008 03:56 PM - edited 03-11-2019 07:03 AM
Redoing our network to remove the .1 subnet and replace it with a .12 subnet. I can successfully authenticate from home, but I am unable to connect to any of the .12 boxes on the network.
Here's snippets of my config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 permit ip 192.168.11.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 103 remark IP Access for 10 range
access-list 103 permit ip host 192.168.10.1 192.168.2.0 255.255.255.0
pager lines 24
logging host inside 192.168.1.3
mtu outside 1500
mtu inside 1500
ip address inside 192.168.1.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.200
ip local pool remoteuser 192.168.2.201-192.168.2.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route inside 192.168.5.0 255.255.255.0 192.168.1.210 1
route inside 192.168.6.0 255.255.255.0 192.168.1.210 1
route inside 192.168.9.0 255.255.255.0 192.168.1.254 1
route inside 192.168.10.0 255.255.255.0 192.168.1.254 1
route inside 192.168.11.0 255.255.255.0 192.168.1.254 1
route inside 192.168.12.0 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
vpngroup new address-pool ippool
vpngroup new dns-server 192.168.1.4
vpngroup new split-tunnel 101
vpngroup new idle-time 1800
vpngroup new password ********
vpngroup rjordan address-pool remoteuser
vpngroup rjordan dns-server 192.168.1.4
vpngroup rjordan split-tunnel 102
vpngroup rjordan idle-time 1800
vpngroup rjordan password ********
vpngroup tenrange address-pool remoteuser
vpngroup tenrange dns-server 192.168.1.4
vpngroup tenrange split-tunnel 103
vpngroup tenrange idle-time 1800
vpngroup tenrange password ********
Solved! Go to Solution.
10-27-2008 04:25 PM
Hi,
Are you connecting to VPNGroup new or a different one. If you are connecting the "new" group and not able to access the 192.168.12.0 subnet, make sure that you bypass NAT for VPN Client Traffic. Include this below access-list and do the testing again.
access-list nonat permit ip 192.168.12.0 255.255.255.0 192.168.2.0 255.255.255.0
Regards,
Arul
*Pls rate if it helps*
10-27-2008 04:25 PM
Hi,
Are you connecting to VPNGroup new or a different one. If you are connecting the "new" group and not able to access the 192.168.12.0 subnet, make sure that you bypass NAT for VPN Client Traffic. Include this below access-list and do the testing again.
access-list nonat permit ip 192.168.12.0 255.255.255.0 192.168.2.0 255.255.255.0
Regards,
Arul
*Pls rate if it helps*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide