01-16-2006 01:51 PM - edited 02-21-2020 02:12 PM
Hi,
i have a VPN from Desktop to PIX 506E 6.3(5).
I try to access from this vpn to the network on the outside interface.
Split tunnel is configurated ok, the traffic from the desktop is correctly direct to the pix, but the log:
No route to 'outside_host' from 'vpn_host'.
Any idea ?
Thank you,
Mauro
01-16-2006 10:06 PM
Was it able to work without the Split tunneling ? What is the status of ISAKMP/IPSec on the PIX ? Pls post the relevant config
01-17-2006 12:03 AM
Vpn work fine,
without split tunnel i can access my outside, but not via vpn, the traffic is not crypted.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Pix506E-07
domain-name gurzo.com
access-list inbound permit udp any any eq isakmp
access-list inbound permit tcp any host 10.0.7.7
access-list inbound permit tcp any host 10.0.7.7 eq www
access-list 101 permit ip 10.0.7.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 permit ip 10.0.9.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 permit ip host 10.0.7.7 host 10.0.86.1
access-list 101 permit ip host 10.0.7.7 host 10.0.9.9
access-list 101 permit ip host 10.0.86.1 10.0.2.0 255.255.255.0
access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 20 permit ip 10.0.7.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 20 permit ip 10.0.9.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 20 permit ip host 10.0.86.1 10.0.2.0 255.255.255.0
access-list 20 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 20 permit ip 212.239.33.0 255.255.255.0 10.0.2.0 255.255.255.0
ip address outside 212.239.33.101 255.255.255.0
ip address inside 10.0.1.1 255.255.255.0
ip local pool vpnpool 10.0.2.20-10.0.2.30 mask 255.255.255.0
global (outside) 7 interface
nat (inside) 7 10.0.2.0 255.255.255.0 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 212.239.33.1 1
route inside 10.0.2.0 255.255.255.0 10.0.1.1 1
sysopt connection permit-ipsec
crypto ipsec transform-set TRANSET esp-des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 set transform-set TRANSET
crypto map VPNCLIENT 20 ipsec-isakmp dynamic DYNOMAP
crypto map VPNCLIENT client authentication LOCAL
crypto map VPNCLIENT interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup gruppone address-pool vpnpool
vpngroup gruppone default-domain vpn.loc
vpngroup gruppone split-tunnel 20
vpngroup gruppone idle-time 1800
vpngroup xxxx password xxx
vpngroup domai idle-time 1800
Thanks,
Mauro
01-17-2006 04:11 AM
global (outside) 7 interface
nat (inside) 7 10.0.2.0 255.255.255.0 0 0
and access-list 20 permit ip 212.239.33.0 255.255.255.0 10.0.2.0 255.255.255.0
Can you remove this ? You wont need to nat ur IP pool at all it will get encrypted in IPSec
01-17-2006 01:15 PM
I try to remove, but i doesn't work.
I put this:
global (outside) 7 interface
nat (inside) 7 10.0.2.0 255.255.255.0 0 0
to permit my vpn client (10.0.2.x) to access outside by pat in the outside interface,
ad i put
access-list 20 permit ip 212.239.33.0 255.255.255.0 10.0.2.0 255.255.255.0
to force my client to encrypt trhu tunnel traffic with dest 212.239.33.0/24
Thanks,
Mauro
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide