cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
916
Views
14
Helpful
18
Replies

PIX and ASA VPN question

techtips03
Level 1
Level 1

Hi

I have a remote user logging into a PIX506E through Microsoft Windows PPTP client. And once on VPN, he is not able to access his Internet. I believe it is a characteristic of software VPN but is there anyway he can browse the Internet changing routing tables etc or which way is best to go with?

As an alternative, if I use ASA unit, I know this doesnt support PPTP and wanted to know if there is another way to go with other than using Cisco VPN client.

Typically, I would like to use PIX506E without additional VPN client and able to browse the Internet if possible.

Please advise

1 Accepted Solution

Accepted Solutions

Ok 2 things one, yes you are correct that you need an ACL for your Remote clients but that is a standard access list like the one above. Secondly you do need to add the remote VPN IP space to your existing nonat access list. DO NOT remove your others just add the IP space you are using for your VPN clients. example below

access-list nonat permit ip (Internal addresss space) (VPN client DHCP address space)

View solution in original post

18 Replies 18

Richard Burts
Hall of Fame
Hall of Fame

What version of code is the PIX running. In PIX code up through 6.3.5 one of the characteristics of the PIX is that it will not forward traffic out the interface on which it was received. The result of this is that a user who connects via VPN and comes in through the outside/public interface can not be forwarded back out the outside/public interface to access the Internet.

In release 7 and later Cisco introduced an optional feature which allows the PIX to forward back out the same interface. So if the PIX is currently running earlier than 7 code the behavior that you are experiencing is expected behavior. If you upgrade to version 7 code you may be able to get around this.

HTH

Rick

HTH

Rick

Hi Rick

Thanks for the response. But I dont think PIX506E doesnt support 7.0 version.

Any other ideas on this or should I go for L2TP or through Cisco VPN client and configure split tunneling?

Thanks

You're right. The 506E doesn't support v7. We use the Cisco Client with split tunneling.

Wes

palomoj
Level 1
Level 1

Its not a PIX configuration, its a PPTP client configuration. If you uncheck the box where it says to use the default gateway on the remote network (TCPIP properties) you will have split tunneling via the client.

Yes, I tried PPTP configuration with unchecking the default gateway. I guess I was able to browse but definitely not able to do anything on VPN. So it seems that either one of them only work.

And if I want to go for split tunneling, I should definitely use Cisco VPN client right?

Just to add I already have a VPN tunnel between 2 locations and will have to give remote access to the users from home.

And is this link good enough to follow.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

The problem with just unchecking the Default Gateway box is that the client maybe confused about which traffic should go through the VPN and which traffic should not. In the example that you referenced, the command "vpngroup vpn3000 split-tunnel 101" uses access list 101 to define which traffic should travel over the VPN.

You don't have to use the Cisco client. There are other ones out there that will split tunnel. It just that the Cisco client is what I/we know.

Wes

Hi Wes

Thanks for your response. So I understand that I have to go for any VPN client and configure Split tunnel on PIX/ASA units. I would probably go for Cisco VPN client instead of others.

As I mentioned that I have a site-site VPN as well along with remote client VPN. Can you please confirm if this config works.

Here is the config below. I already have site-site config as below and works fine.

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list 102 permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map VPN 1 ipsec-isakmp

crypto map VPN 1 match address 102

crypto map VPN 1 set pfs

crypto map VPN 1 set peer x.x.x.x

crypto map VPN 1 set transform-set myset

crypto map VPN interface outside

isakmp enable outside

isakmp key ******* address x.x.x.x netmask 255.255.255.255 no-xauth

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 3200

Can you please confirm adding below config for remote VPN works well along with site-site VPN.

ip local pool vpn-clients 192.168.2.10-192.168.2.50

access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0

vpngroup vpn3000 split-tunnel nonat

crypto dynamic-map dynmap 1 set transform-set myset

crypto map VPN 20 ipsec-isakmp dynamic dynmap

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server 10.10.10.2

vpngroup vpn3000 wins-server 10.10.10.2

vpngroup vpn3000 default-domain cisco.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

Couple of questions here

As I am using acl 'nonat' for both site-site and remote VPN and using the same acl for split tunnel, does nonat acl conflict with site-site command

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

And can I just use group1 and sha (hash) for remote VPN client? I see some docs show that I should only use group2.

Yes, it conflicts. Name the acl "access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0 " to something else.

You can use which ever DH group you want as long as both ends support it. Some of the Cisco clients and devices don't support DH group1. I think that's what you're seeing in the docs.

I'll only check in once more today and then it's home for the holidays. Good luck and have a great Christmas.

Wes

Please rate the posts if they are helpful.

Thank you. I thought it would create a problem and I dont understand something here. As both site-site and remote VPN need nat 0 command, I belive PIX/ASA accepts only 1 nat0 command and if I add the second one, I remember the first one is deleted.

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0 - site-site

access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0 - remote

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 0 access-list nonat - site-site

nat (inside) 0 access-list 100 - remote and I guess I cant add this? So where do I apply acl 100 for nat 0 command

vpngroup vpn3000 split-tunnel 100

Do you have this setup in place? If so can you please send me the sample config. I dont think I need an outage to have this in place right?

And if I use ASA, "same security intra-interface" add any benefit?

Thanks

You only need to have 1 nat 0 acl. As you found out you can't add another.

Then I dont think it works for VPN group to access Internet when connected to VPN

I shouldn't try to answer questions when I'm in a hurry. Sorry.

I can't get to our equipment know, so this is off the top of my head. You are right. Only one nat0 is allowed. Rename the second nonat acl. So it should look like:

access-list vpn permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0

vpngroup vpn3000 split-tunnel vpn

Wes

This should fix you...

!

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption des

isakmp policy 2 hash sha

isakmp policy 2 group 2

!

access-list SPLIT permit 10.10.10.0 255.255.255.0

!

no vpngroup vpn3000 split-tunnel nonat

!

vpngroup vpn3000 split-tunnel SPLIT

!

isakmp nat-traversal

!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: