×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

no xlate for vpn client

Unanswered Question
Jun 16th, 2003
User Badges:

I have vpn clients set up here. The vpn clients have no problem of getting to the internal network. Internal network is working fine. However, I noticed that my vpn clients are unable to browse the internet. The error message is that there is no xlate.


I have the entire internal network nat, which includes the vpn pool.

What do I need to add for the vpn clients be able to browse the net when they vpn in?

Thank you.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shannong Mon, 06/16/2003 - 12:00
User Badges:
  • Silver, 250 points or more

If the VPN sessions are terminated on a Pix's interface that also serves as the interface for its default route, you cannot do this. The Pix does not allow the packet to enter and leave on the same interface.


You can enable split-tunneling for the client so that they do not send traffic to the Pix accept for what it protects behind it. Or you can use another interfaceon the Pix to terminate the VPNs that is not the default-route interface. This allows packets from VPN clients to enter one interface and exit on another as necessary.

eppiet Mon, 06/16/2003 - 14:05
User Badges:

I have already enable split-tunnel.

access-list splitTunnelAcl permit ip any any


Do I need to specify more on the split tunnel?

shannong Mon, 06/16/2003 - 19:21
User Badges:
  • Silver, 250 points or more

You "enabled" the feature, but you're telling your clients to send everything to you with the "any any" which functionally is the same as no split-tunnel feature. Make the ACL more specific. If you're inside network is 192.168.1.0/24, for example, your split-tunnel ACL would look like this:


access-list splutTunnelAcl permit ip 192.168.1.0 255.255.255.0 any


Any Permit statement is allowed traffic on the tunnel while a Deny means don't send the traffic to the VPN gateway. Anything that is denied is not tunneled and sent out the client's "normal" default gateway and thus not to your Pix.

Actions

This Discussion