10-02-2010 10:42 AM - edited 03-11-2019 11:49 AM
HI
I have setup a remote vpn on PIX 506 e with aaa-server radius. I am able to connect via AD users.
But When I connect to remote network my local lan and internet runs properly but I can not access remote lan.
Please help
PIX 506e 6.3
access-list outside_20_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.5.0
255.255.255.0
access-list mcstunnel permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.25
5.0
ip local pool mobile1 192.168.5.1-192.168.5.255
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.1.10 cisco123 timeout 5
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-md5-hmac
crypto dynamic-map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 10 ipsec-isakmp dynamic outside_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
vpngroup mcsvpn address-pool mobile1
vpngroup mcsvpn dns-server 192.168.1.10
vpngroup mcsvpn wins-server 192.168.1.10
vpngroup mcsvpn default-domain myf.com
vpngroup mcsvpn idle-time 1800
vpngroup mcsvpn password 12345
thanks
Amardeep
Solved! Go to Solution.
10-02-2010 06:28 PM
When you say, you can't access remote LAN, you mean you can't access 192.168.1.0/24 network (behind the PIX), right?
Can you share your NAT exemption configuration?
You would need to have the following:
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list nonat
If you already have those, please kindly share the config to see what could be the issue.
Hope that helps.
10-02-2010 06:28 PM
When you say, you can't access remote LAN, you mean you can't access 192.168.1.0/24 network (behind the PIX), right?
Can you share your NAT exemption configuration?
You would need to have the following:
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list nonat
If you already have those, please kindly share the config to see what could be the issue.
Hope that helps.
10-03-2010 07:05 AM
Hi Amardeep,
Please provide the following info
1) the use of ACL mcstunnel
2) the NAT config
3) Are you using split tunnel, please provide the screenshot of the route details on the vpn client screen after you connect to the VPN.
You can view the route details under Status > Statistics > Route Details
Regards,
Namit
10-04-2010 02:25 AM
Thanks
Now this is working. I did not make a good access list. Now this is fine.
Thanks
Amardeep Rana
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: