Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

vpn client but no internal or internet access

hello,

i have configured the client vpn on pix 515E and the user can connect successfully but they don't get any internal access to any servers also cannot browse internet.

my config as following.

ip address outside 213.2.3.4 255.255.255.240

ip address inside 172.20.4.60 255.255.0.0

access-list nonat permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list 120 permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0

ip local pool vpnclient 192.168.1.1-192.168.1.2

route inside 192.168.1.0 255.255.255.0 172.20.4.1 1

sysopt connection permit-ipsec

crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 30 set transform-set vpn

crypto map transam 1 ipsec-isakmp

crypto map transam interface outside

isakmp nat-traversal 20

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup sec address-pool isnetvpn

vpngroup sec dns-server 172.20.1.10

vpngroup sec wins-server 172.20.1.10

vpngroup sec default-domain xyz.com

vpngroup sec split-tunnel 120

vpngroup sec idle-time 1800

vpngroup sec password ********

any help would be great

9 REPLIES
New Member

Re: vpn client but no internal or internet access

I think you need this:

nat (inside) 0 access-list nonat

access-list split permit ip 192.168.1.0 255.255.255.254 any

vpngroup sec split-tunnel split

David

Bronze

Re: vpn client but no internal or internet access

hello,

actually i already have nat (inside) 0 access-list nonat

i only forgot to paste in the post, secondly i tried with

access-list split permit ip 192.168.1.0 255.255.255.254 any

vpngroup sec split-tunnel split

but no luck, still the same.

Green

Re: vpn client but no internal or internet access

What's this route for? That would include your vpn pool.

route inside 192.168.1.0 255.255.255.0 172.20.4.1 1

and shouldnt the split acl be

access-list split permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0

Bronze

Re: vpn client but no internal or internet access

the route is for the pix to know that it's local to it. actually it did'nt worked so i removed it

and yes the split is as what are have written but still no luck..

access-list split-vpn permit ip 172.20.0.0 255.255.0.0 192.168.1.0 255.255.255.0

i cannot understand the connection works fine and even on pix i see tunnel is created and both phases are completed in syslog .. still i can't access anything inside once connected must be something i am missing.

any help would be really apperciated

Green

Re: vpn client but no internal or internet access

Your vpn client pool name does not match what you have in your vpngroup

ip local pool vpnclient 192.168.1.1-192.168.1.2

vpngroup sec address-pool isnetvpn

should be....

ip local pool isnetvpn 192.168.1.1-192.168.1.2

vpngroup sec address-pool isnetvpn

Bronze

Re: vpn client but no internal or internet access

hello,

sorry that was the typo mistake while writing on the forum... that is what is should be. both are the same

Green

Re: vpn client but no internal or internet access

Could you just post config then?

Bronze

Re: vpn client but no internal or internet access

hello

config is attached.

Green

Re: vpn client but no internal or internet access

these are not correct...the source is wrong, should be your inside network which you would like to cross the tunnel.

access-list nonat permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0

access-list split-vpn permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0

148
Views
0
Helpful
9
Replies