Re: Access to outside from VPN

pelitti · ‎01-16-2006

Hi,

i have a VPN from Desktop to PIX 506E 6.3(5).

I try to access from this vpn to the network on the outside interface.

Split tunnel is configurated ok, the traffic from the desktop is correctly direct to the pix, but the log:

No route to 'outside_host' from 'vpn_host'.

Any idea ?

Thank you,

Mauro

attrgautam · ‎01-16-2006

Was it able to work without the Split tunneling ? What is the status of ISAKMP/IPSec on the PIX ? Pls post the relevant config

pelitti · ‎01-17-2006

Vpn work fine,

without split tunnel i can access my outside, but not via vpn, the traffic is not crypted.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname Pix506E-07

domain-name gurzo.com

access-list inbound permit udp any any eq isakmp

access-list inbound permit tcp any host 10.0.7.7

access-list inbound permit tcp any host 10.0.7.7 eq www

access-list 101 permit ip 10.0.7.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list 101 permit ip 10.0.9.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list 101 permit ip host 10.0.7.7 host 10.0.86.1

access-list 101 permit ip host 10.0.7.7 host 10.0.9.9

access-list 101 permit ip host 10.0.86.1 10.0.2.0 255.255.255.0

access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list 20 permit ip 10.0.7.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list 20 permit ip 10.0.9.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list 20 permit ip host 10.0.86.1 10.0.2.0 255.255.255.0

access-list 20 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list 20 permit ip 212.239.33.0 255.255.255.0 10.0.2.0 255.255.255.0

ip address outside 212.239.33.101 255.255.255.0

ip address inside 10.0.1.1 255.255.255.0

ip local pool vpnpool 10.0.2.20-10.0.2.30 mask 255.255.255.0

global (outside) 7 interface

nat (inside) 7 10.0.2.0 255.255.255.0 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 212.239.33.1 1

route inside 10.0.2.0 255.255.255.0 10.0.1.1 1

sysopt connection permit-ipsec

crypto ipsec transform-set TRANSET esp-des esp-md5-hmac

crypto dynamic-map DYNOMAP 10 set transform-set TRANSET

crypto map VPNCLIENT 20 ipsec-isakmp dynamic DYNOMAP

crypto map VPNCLIENT client authentication LOCAL

crypto map VPNCLIENT interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup gruppone address-pool vpnpool

vpngroup gruppone default-domain vpn.loc

vpngroup gruppone split-tunnel 20

vpngroup gruppone idle-time 1800

vpngroup xxxx password xxx

vpngroup domai idle-time 1800

Thanks,

Mauro

attrgautam · ‎01-17-2006

global (outside) 7 interface

nat (inside) 7 10.0.2.0 255.255.255.0 0 0

and access-list 20 permit ip 212.239.33.0 255.255.255.0 10.0.2.0 255.255.255.0

Can you remove this ? You wont need to nat ur IP pool at all it will get encrypted in IPSec

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html

pelitti · ‎01-17-2006

I try to remove, but i doesn't work.

I put this:

global (outside) 7 interface

nat (inside) 7 10.0.2.0 255.255.255.0 0 0

to permit my vpn client (10.0.2.x) to access outside by pat in the outside interface,

ad i put

access-list 20 permit ip 212.239.33.0 255.255.255.0 10.0.2.0 255.255.255.0

to force my client to encrypt trhu tunnel traffic with dest 212.239.33.0/24

Thanks,

Mauro