cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1022
Views
0
Helpful
7
Replies

VPN-client set connect to the remote PIX, but has not access in LAN inside

volgaprbb
Level 1
Level 1

VPN client (the version 4.7.00.0533) is connected to PIX501, authentification and join passes orderly, but no access to removed network 192.168.10.192 255.255.255.224.

The question in that, why no access to remote network through VPN client from workstation? There are route print below and config of pix.

7 Replies 7

m.sir
Level 7
Level 7

I looks like NAT traversal issue...

try following command in global configuration mode

isakmp nat-traversal 20

M.

Hope that helps rate if it does

sorry for my intrusion...

i've the same problem on cisco pix 515e 7.0.6

device..

and i've that command in global config mode..

my win xp with cisco 4.6 client authenticate itself but can't ping any host of the remote lan..

please help me!

i attach my pix config.

thanks a lot .

Daniele

hi daniele,

try to be more specified with the nat0 access list to include your inside network with it, so instead of:

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

try:

access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 192.168.10.0 255.255.255.0

I hope that this will help,

Shadi`

hi shadi',

many thanks for your answer.

unfortunalty...isn't the right way!

i've modified my pix config, as you told me, you can look it, i've attached it here.

that config is fully working only if my win xp client has a REAL INTERNET IP ADDRESS on PPP network card.

if client is behind a private network that are natted to outside, nothing works...

(tunnel up , but no traffic crypted..)

i successfully make IPSEC VPN connection on PIX using a Linux machine as client BUT with STATIC INTERNET IP ADDRESS via VPNC (linux version of cisco client)

but if my XP client is behind a private network

(here in italy many ISP like H3G give private, natted ip , on his UMTS card..)

no traffic passed via IPSEC tunnel..

obiously i've "isakmp nat-traversal 10" enabled on pix device!

can you help me?

thanks a lot

cheers.

daniele

HI Daniele,

I think the split tunnel access list is written wrong here :)

a rule of thumb, the split tunnel access list should always contain the traffic to be secured, so we need the clients ip pool to be as the source of the access list and the required secure networks to be the destination, so our split tunnel access list should look like this:

access-list rem-vlg_splitTunnelAcl permit ip 10.10.100.0 255.255.255.0 192.168.10.192 255.255.255.224

hope this will do it :)

regards,

Shadi`

hi Shad?.

thanks for your reply!

my inside net is:

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.32.253 255.255.255.0 standby 192.168.32.252

and my vpn pool address is:

ip local pool VPNPool 192.168.10.1-192.168.10.200 mask 255.255.255.0

so, as you told me, i think that my split tunnel acl have to contain line:

access-list VPN_splitTunnelAcl extended permit ip 192.168.10.0 255.255.255.0 192.168.32.0 255.255.255.0

i make change on pix, but infortunatly vpn is up not traffic doesn't work.

and another problem: on client statistic window, i see 192.168.10.0 as secured route..

(not Lan ip addressing space, but vpn pool.. is it correct?)

Shad?, why with my old pix config (with old wrong split tunnel acl) if i have a public internet ip address on dialup interface on xp client evrything works correctly and packet are passed?

only if my xp client has sourced from a NO-NAT config .

any explanation will be more appreciated.

cheers

daniele

solved.

my xp client have many problem.

on orher computer evrything works correctly with original config.

thanks to evrybody.

cheers

daniele

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: