Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
984
Views
14
Helpful
18
Replies

PIX and ASA VPN question

Go to solution
techtips03
Level 1
Level 1

‎12-18-2007 01:31 PM - edited ‎03-12-2019 05:52 PM

Hi

I have a remote user logging into a PIX506E through Microsoft Windows PPTP client. And once on VPN, he is not able to access his Internet. I believe it is a characteristic of software VPN but is there anyway he can browse the Internet changing routing tables etc or which way is best to go with?

As an alternative, if I use ASA unit, I know this doesnt support PPTP and wanted to know if there is another way to go with other than using Cisco VPN client.

Typically, I would like to use PIX506E without additional VPN client and able to browse the Internet if possible.

Please advise

Labels:
0 Helpful
18 Replies 18

Go to solution
techtips03
Level 1
Level 1
In response to palomoj

‎12-26-2007 10:00 AM

Thanks all for your replies. I hope everyone had a great Christmas!

From all the above replies, I understand that I do not need "nat (inside) 0 access-list ---" command for remote client VPN config and I just need "nat (inside) 0 access-list nonat" (only for my site-site VPN). So how are we telling the ASA to avoid NAT on IPSEC packets for remote clients?

I am following this ink below which is an example for only remote client VPN access and I see these commands in place "nat (inside) 0 access-list 101" & "access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0" which tells that NAT is avoided for IPSEC packets for remote clients

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

Did I understood right? I will be configuring this in the first week of New year and will rate all the posts.

Thanks for all your time. You guys are of great help as always.

0 Helpful

Go to solution
techtips03
Level 1
Level 1
In response to techtips03

‎12-28-2007 06:51 AM

Can someone please advise on this?

Thanks

0 Helpful

Go to solution
bob.bartlett
Level 1
Level 1
In response to techtips03

‎12-29-2007 08:29 AM

Ok 2 things one, yes you are correct that you need an ACL for your Remote clients but that is a standard access list like the one above. Secondly you do need to add the remote VPN IP space to your existing nonat access list. DO NOT remove your others just add the IP space you are using for your VPN clients. example below

access-list nonat permit ip (Internal addresss space) (VPN client DHCP address space)

0 Helpful

Go to solution
techtips03
Level 1
Level 1
In response to bob.bartlett

‎03-18-2008 07:37 AM

That is right. I got this configured and I came to know that I need to add

access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0

VPN works and also have access to Internet and also PPTP works

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card