Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client to Pix, Web Browsing

I have setup a Pix to accept VPN connections from Cisco VPN clients. This is working. However, when I want to browse the Internet, I am unable to do this. Is there a trick to getting traffic turned back around the same interface that I am terminating my VPN clients to? Below are relevant parts of config.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

access-list 101 remark Authentication exclusion list

access-list 101 deny icmp any any

access-list 101 deny ip host any

access-list 101 deny ip host any

access-list 101 deny ip host any

access-list 101 deny udp host any eq domain

access-list 101 deny tcp host any eq domain

access-list 101 remark Authentication ports

access-list 101 permit ip any any

access-list nonat permit ip

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.27

ip address inside

ip local pool vpnpool mask

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

static (inside,outside) x.x.x.28 netmask 0 0

static (inside,outside) x.x.x.29 netmask 0 0

conduit permit icmp any any

conduit permit tcp host x.x.x.28 eq lotusnotes any

conduit permit tcp host x.x.x.29 eq lotusnotes any

route outside x.x.x.25 1

route inside 1

route inside 1

timeout xlate 1:00:00

timeout conn 0:10:00 half-closed 0:05:00 udp 0:02:00 rpc 0:05:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:00:00 absolute uauth 1:00:00 inactivity

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host internet timeout 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server AuthOutbound protocol tacacs+

aaa-server AuthOutbound max-failed-attempts 3

aaa-server AuthOutbound deadtime 10

aaa-server AuthOutbound (inside) host abc123 timeout 60

aaa-server SUCHRADIUS protocol radius

aaa-server SUCHRADIUS max-failed-attempts 3

aaa-server SUCHRADIUS deadtime 10

aaa-server SUCHRADIUS (inside) host abc123 timeout 60

aaa authentication match 101 inside AuthOutbound

floodguard enable

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap client configuration address initiate

crypto map vpnmap client configuration address respond

crypto map vpnmap client authentication SUCHRADIUS

crypto map vpnmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

vpngroup CLIENTVPN address-pool vpnpool

vpngroup CLIENTVPN dns-server

vpngroup CLIENTVPN default-domain

vpngroup CLIENTVPN idle-time 1800

vpngroup CLIENTVPN password ********

telnet inside

telnet inside

  • Firewalling

Re: VPN Client to Pix, Web Browsing

This function is only available on pix/asa version 7.

You can use split tunneling in version 6.

This widget could not be displayed.