Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PIX and ASA VPN question

Hi

I have a remote user logging into a PIX506E through Microsoft Windows PPTP client. And once on VPN, he is not able to access his Internet. I believe it is a characteristic of software VPN but is there anyway he can browse the Internet changing routing tables etc or which way is best to go with?

As an alternative, if I use ASA unit, I know this doesnt support PPTP and wanted to know if there is another way to go with other than using Cisco VPN client.

Typically, I would like to use PIX506E without additional VPN client and able to browse the Internet if possible.

Please advise

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: PIX and ASA VPN question

Ok 2 things one, yes you are correct that you need an ACL for your Remote clients but that is a standard access list like the one above. Secondly you do need to add the remote VPN IP space to your existing nonat access list. DO NOT remove your others just add the IP space you are using for your VPN clients. example below

access-list nonat permit ip (Internal addresss space) (VPN client DHCP address space)

18 REPLIES
Hall of Fame Super Gold

Re: PIX and ASA VPN question

What version of code is the PIX running. In PIX code up through 6.3.5 one of the characteristics of the PIX is that it will not forward traffic out the interface on which it was received. The result of this is that a user who connects via VPN and comes in through the outside/public interface can not be forwarded back out the outside/public interface to access the Internet.

In release 7 and later Cisco introduced an optional feature which allows the PIX to forward back out the same interface. So if the PIX is currently running earlier than 7 code the behavior that you are experiencing is expected behavior. If you upgrade to version 7 code you may be able to get around this.

HTH

Rick

New Member

Re: PIX and ASA VPN question

Hi Rick

Thanks for the response. But I dont think PIX506E doesnt support 7.0 version.

Any other ideas on this or should I go for L2TP or through Cisco VPN client and configure split tunneling?

Thanks

New Member

Re: PIX and ASA VPN question

You're right. The 506E doesn't support v7. We use the Cisco Client with split tunneling.

Wes

New Member

Re: PIX and ASA VPN question

Its not a PIX configuration, its a PPTP client configuration. If you uncheck the box where it says to use the default gateway on the remote network (TCPIP properties) you will have split tunneling via the client.

New Member

Re: PIX and ASA VPN question

Yes, I tried PPTP configuration with unchecking the default gateway. I guess I was able to browse but definitely not able to do anything on VPN. So it seems that either one of them only work.

And if I want to go for split tunneling, I should definitely use Cisco VPN client right?

Just to add I already have a VPN tunnel between 2 locations and will have to give remote access to the users from home.

And is this link good enough to follow.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

New Member

Re: PIX and ASA VPN question

The problem with just unchecking the Default Gateway box is that the client maybe confused about which traffic should go through the VPN and which traffic should not. In the example that you referenced, the command "vpngroup vpn3000 split-tunnel 101" uses access list 101 to define which traffic should travel over the VPN.

You don't have to use the Cisco client. There are other ones out there that will split tunnel. It just that the Cisco client is what I/we know.

Wes

New Member

Re: PIX and ASA VPN question

Hi Wes

Thanks for your response. So I understand that I have to go for any VPN client and configure Split tunnel on PIX/ASA units. I would probably go for Cisco VPN client instead of others.

As I mentioned that I have a site-site VPN as well along with remote client VPN. Can you please confirm if this config works.

New Member

Re: PIX and ASA VPN question

Here is the config below. I already have site-site config as below and works fine.

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list 102 permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map VPN 1 ipsec-isakmp

crypto map VPN 1 match address 102

crypto map VPN 1 set pfs

crypto map VPN 1 set peer x.x.x.x

crypto map VPN 1 set transform-set myset

crypto map VPN interface outside

isakmp enable outside

isakmp key ******* address x.x.x.x netmask 255.255.255.255 no-xauth

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 3200

Can you please confirm adding below config for remote VPN works well along with site-site VPN.

ip local pool vpn-clients 192.168.2.10-192.168.2.50

access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0

vpngroup vpn3000 split-tunnel nonat

crypto dynamic-map dynmap 1 set transform-set myset

crypto map VPN 20 ipsec-isakmp dynamic dynmap

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server 10.10.10.2

vpngroup vpn3000 wins-server 10.10.10.2

vpngroup vpn3000 default-domain cisco.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

Couple of questions here

As I am using acl 'nonat' for both site-site and remote VPN and using the same acl for split tunnel, does nonat acl conflict with site-site command

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

And can I just use group1 and sha (hash) for remote VPN client? I see some docs show that I should only use group2.

New Member

Re: PIX and ASA VPN question

Yes, it conflicts. Name the acl "access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0 " to something else.

You can use which ever DH group you want as long as both ends support it. Some of the Cisco clients and devices don't support DH group1. I think that's what you're seeing in the docs.

I'll only check in once more today and then it's home for the holidays. Good luck and have a great Christmas.

Wes

Please rate the posts if they are helpful.

New Member

Re: PIX and ASA VPN question

Thank you. I thought it would create a problem and I dont understand something here. As both site-site and remote VPN need nat 0 command, I belive PIX/ASA accepts only 1 nat0 command and if I add the second one, I remember the first one is deleted.

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0 - site-site

access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0 - remote

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 0 access-list nonat - site-site

nat (inside) 0 access-list 100 - remote and I guess I cant add this? So where do I apply acl 100 for nat 0 command

vpngroup vpn3000 split-tunnel 100

Do you have this setup in place? If so can you please send me the sample config. I dont think I need an outage to have this in place right?

And if I use ASA, "same security intra-interface" add any benefit?

Thanks

Green

Re: PIX and ASA VPN question

You only need to have 1 nat 0 acl. As you found out you can't add another.

New Member

Re: PIX and ASA VPN question

Then I dont think it works for VPN group to access Internet when connected to VPN

New Member

Re: PIX and ASA VPN question

I shouldn't try to answer questions when I'm in a hurry. Sorry.

I can't get to our equipment know, so this is off the top of my head. You are right. Only one nat0 is allowed. Rename the second nonat acl. So it should look like:

access-list vpn permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0

vpngroup vpn3000 split-tunnel vpn

Wes

New Member

Re: PIX and ASA VPN question

This should fix you...

!

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption des

isakmp policy 2 hash sha

isakmp policy 2 group 2

!

access-list SPLIT permit 10.10.10.0 255.255.255.0

!

no vpngroup vpn3000 split-tunnel nonat

!

vpngroup vpn3000 split-tunnel SPLIT

!

isakmp nat-traversal

!

New Member

Re: PIX and ASA VPN question

Thanks all for your replies. I hope everyone had a great Christmas!

From all the above replies, I understand that I do not need "nat (inside) 0 access-list ---" command for remote client VPN config and I just need "nat (inside) 0 access-list nonat" (only for my site-site VPN). So how are we telling the ASA to avoid NAT on IPSEC packets for remote clients?

I am following this ink below which is an example for only remote client VPN access and I see these commands in place "nat (inside) 0 access-list 101" & "access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0" which tells that NAT is avoided for IPSEC packets for remote clients

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

Did I understood right? I will be configuring this in the first week of New year and will rate all the posts.

Thanks for all your time. You guys are of great help as always.

New Member

Re: PIX and ASA VPN question

Can someone please advise on this?

Thanks

New Member

Re: PIX and ASA VPN question

Ok 2 things one, yes you are correct that you need an ACL for your Remote clients but that is a standard access list like the one above. Secondly you do need to add the remote VPN IP space to your existing nonat access list. DO NOT remove your others just add the IP space you are using for your VPN clients. example below

access-list nonat permit ip (Internal addresss space) (VPN client DHCP address space)

New Member

Re: PIX and ASA VPN question

That is right. I got this configured and I came to know that I need to add

access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0

VPN works and also have access to Internet and also PPTP works

178
Views
14
Helpful
18
Replies
CreatePlease to create content