08-16-2006 02:31 AM
VPN client (the version 4.7.00.0533) is connected to PIX501, authentification and join passes orderly, but no access to removed network 192.168.10.192 255.255.255.224.
The question in that, why no access to remote network through VPN client from workstation? There are route print below and config of pix.
08-16-2006 04:25 AM
I looks like NAT traversal issue...
try following command in global configuration mode
isakmp nat-traversal 20
M.
Hope that helps rate if it does
12-09-2006 02:15 PM
12-12-2006 04:50 AM
hi daniele,
try to be more specified with the nat0 access list to include your inside network with it, so instead of:
access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0
try:
access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 192.168.10.0 255.255.255.0
I hope that this will help,
Shadi`
12-13-2006 02:27 PM
hi shadi',
many thanks for your answer.
unfortunalty...isn't the right way!
i've modified my pix config, as you told me, you can look it, i've attached it here.
that config is fully working only if my win xp client has a REAL INTERNET IP ADDRESS on PPP network card.
if client is behind a private network that are natted to outside, nothing works...
(tunnel up , but no traffic crypted..)
i successfully make IPSEC VPN connection on PIX using a Linux machine as client BUT with STATIC INTERNET IP ADDRESS via VPNC (linux version of cisco client)
but if my XP client is behind a private network
(here in italy many ISP like H3G give private, natted ip , on his UMTS card..)
no traffic passed via IPSEC tunnel..
obiously i've "isakmp nat-traversal 10" enabled on pix device!
can you help me?
thanks a lot
cheers.
daniele
12-13-2006 10:58 PM
HI Daniele,
I think the split tunnel access list is written wrong here :)
a rule of thumb, the split tunnel access list should always contain the traffic to be secured, so we need the clients ip pool to be as the source of the access list and the required secure networks to be the destination, so our split tunnel access list should look like this:
access-list rem-vlg_splitTunnelAcl permit ip 10.10.100.0 255.255.255.0 192.168.10.192 255.255.255.224
hope this will do it :)
regards,
Shadi`
12-14-2006 07:09 AM
hi Shad?.
thanks for your reply!
my inside net is:
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.32.253 255.255.255.0 standby 192.168.32.252
and my vpn pool address is:
ip local pool VPNPool 192.168.10.1-192.168.10.200 mask 255.255.255.0
so, as you told me, i think that my split tunnel acl have to contain line:
access-list VPN_splitTunnelAcl extended permit ip 192.168.10.0 255.255.255.0 192.168.32.0 255.255.255.0
i make change on pix, but infortunatly vpn is up not traffic doesn't work.
and another problem: on client statistic window, i see 192.168.10.0 as secured route..
(not Lan ip addressing space, but vpn pool.. is it correct?)
Shad?, why with my old pix config (with old wrong split tunnel acl) if i have a public internet ip address on dialup interface on xp client evrything works correctly and packet are passed?
only if my xp client has sourced from a NO-NAT config .
any explanation will be more appreciated.
cheers
daniele
12-15-2006 03:44 AM
solved.
my xp client have many problem.
on orher computer evrything works correctly with original config.
thanks to evrybody.
cheers
daniele
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: