cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1089
Views
0
Helpful
12
Replies

No internet when VPN is up

chris.lantz
Level 1
Level 1

I solved one problem from the discussion "Static NAT on PIX 501 help", but now I have no internet connectivity when that tunnel comes up.  I have attached my current PIX 501 config.  Any suggestions would be appreciated.

1 Accepted Solution

Accepted Solutions

Try replacing:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

with

access-list PAT permit ip 192.168.1.0 255.255.255.0 any

nat (inside) 1 access-list PAT

my thinking here is that once you start with policy NAT, all your NAT must work that way... I'm not truly sure it'll work, but I think it's worth a shot.

It wont break the static NAT because that is processed ahead of the NAT statement.

View solution in original post

12 Replies 12

mopaul
Cisco Employee
Cisco Employee


Hi,


I have reviewed the configuration and it appears good to me. As per your post it seems to me that post addition of static command VPN started working fine but you lost internet connectivity on PIX. I would suggest you following :-


1. Terminate the VPN by running "clear crypto ipsec sa"

2. Then to clear the existing translation please run command "clear xlate"

3. Initiate the internet traffic following by VPN tuneel initiation by pinging remote destination 192.168.27.x


Let me know how it goes.


Note :


A. Step 1 is optional but still i would request you to terminate the tunnel.

B. Step 2 is recommended on PIX 6.3 . Please refer :-


www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1084248



HTH...



Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

Ahh, let me clarify my problem, I don't think I expressed it correctly.

When I say "no internet" I am referring to general internet traffic, such as www.cisco.com from a browser.  The internet traffic works fine until the VPN tunnel comes up, then the internet no longer works.  But the VPN works fine, I can pass traffic in the tunnel no problem.

So, for example, if I start a ping to www.cisco.com, then I do another ping to 192.168.27.1 (which will initiate the VPN tunnel), the ping to www.cisco.com suddenly stops working, but I can fully use the VPN.

The commands you mentioned allow me to bring down the VPN tunnel just fine, and I can then again use the internet.

Thanks for your help with this.

My gut feeling is that it'll NAT causing you problems.

Are you getting errors in the log?


Hey Chris,


You explained your problem correctly and i did understand it in first place. I suspect there is some translation or Xlate issue on PIX. Thats why i have recommended the steps accordingly by stating that bringing the VPN tunnel down is just an optional step. What i want you to do is play with the NAT rule as suggested.

Try clearing the xlate .

Apply the policy NAT statement first and then apply the nat -global 1 rule on pix.



Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

When I clear xlate, the internet starts working, even with the VPN still up.  But as soon as I pass traffic over the VPN, the internet stops working.  I can get it back by simply doing a clear xlate.  I don't need to do a clear ipsec sa or clear isakmp sa.

I tried removing all the statements, clearing, adding them back in, clearing, but I still get the same results.

try adding a deny any any to the end of the ACL "chris-to-ocean-nat"

try nat 0 by adding same acl with different name of your vpn traffic then try split tunneling

"try nat 0 by adding same acl with different name of your vpn traffic then try split tunneling"

I don't think that'll do any good, from what I can see of the config he needs to do some translation as the original source subnet probably isn't valid on the peer device.

Thanks for all your suggestions.  For what it's worth, I have attached the configuration of the other PIX.

can you give us the output of show xlate?

take a copy immediately after clearing xlate, but before you send traffic over the tunnel, and then another after Internet access stops working.

I have attached the output from the sh xlate command before and after internet access stops working.

Try replacing:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

with

access-list PAT permit ip 192.168.1.0 255.255.255.0 any

nat (inside) 1 access-list PAT

my thinking here is that once you start with policy NAT, all your NAT must work that way... I'm not truly sure it'll work, but I think it's worth a shot.

It wont break the static NAT because that is processed ahead of the NAT statement.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: