×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Can't get to Internet when VPN client 3.5 is active????

Unanswered Question
Jun 27th, 2002
User Badges:

I installed VPN client 3.5 on my WIN 98 SE laptop. I can access my corporate network, but I can't get to the internet at all when the VPN is active. Any ideas. Thanks for the help in advance.( THe pix is running 6.1(2))


Jpoulos

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paqiu Thu, 06/27/2002 - 15:07
User Badges:

I think you must run in "tunnal all" mode.

In the PIX, there is a command to enable "split tunnel", from the split tunnel access-list, you can control which traffic will be encrypted and which traffic will go to internet.


Here is the sample config:

http://www.cisco.com/warp/customer/110/pix3000.html


Check the command:

" vpngroup vpn3000 split-tunnel 101"

"access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 "


Best Regards,


jpoulos Fri, 06/28/2002 - 08:27
User Badges:

That was it. It worked perfectly. My next problem is that I need to send all traffic going to a single ip address out my dmz and through a 3rd party VPN device. We have a company hosting one of our databases. So I need to VPN in to the secure network then out through the dmz to this one server. What command do I need to use to do this. Let me know if I need to clarify anything. Thanks for your help, it is greatly appreciated.


Jpoulos

paqiu Sat, 06/29/2002 - 17:51
User Badges:

Two things you need to do this:

1 nat (dmz) 0 access-list

Assume that your server in 192.168.100.0 255.255.255.0 netowrk.

Make sure you add that network into your no nat access-list.

This one to bypass NAT for the VPN traffic to the DMZ interface.


2 Make sure there is a return routes from the server end.

If your VPN client ip address pool is 192.168.1.1 to 254, DMZ interface ip address is 192.168.100.1

Make sure from the server, you have something like this:

ip route 192.168.1.0 255.255.255.0 192.168.100.1




Actions

This Discussion