I have a working vnp tunnel. I can access only the local lan connected to pix inside_if. Wins is working fine and I can browse using netbios. The issue i have is that i cannot access other networks or subnets beside the one that is connected to pix. How can fix this and access the other networks.
Thanks in advance
Pleae explain your topology (how are those other subnets routed to the pix). Also, post your crypto ACLs. It could be that you just need to edit your crypto ACLs to include the other subnets.
I have 3640 w/2 eth_if, 5 wan connections, default Gateway pointing to pix inside_IF and running ripV.1. The pix sees all of the diffrent subnets via rip. AS far as crypto. can you elaborate some more.
There are access control lists (ACLs) that are using in crypto map statements to determine which traffic must be encrypted.
Post your pix config, but remove the password lines. Let us know what subnets you would like the vpn clients to be able to access
Here is the config. Need access to following subnets 192.168.10.0 -192.168.60.0
access-list vpn_clients permit ip 192.168.0.0 255.255.255.0 192.168.7.0 255.255.255.0
nat (inside) 0 access-list vpn_clients
ip local pool vpn_clients_mis 192.168.7.1-192.168.7.30
sysopt connection permit-ipsec
crypto ipsec transform-set bscuset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set bscuset
crypto map bscumap 30 ipsec-isakmp dynamic dynmap
crypto map bscumap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 8640
vpngroup vpn_mis address-pool vpn_clients_mis
vpngroup vpn_mis dns-server 192.168.0.43
vpngroup vpn_mis wins-server 192.168.0.80
vpngroup vpn_mis default-domain *******
vpngroup vpn_mis idle-time 1800
vpngroup vpn_mis password **********
Your access-list vpn_clients list only includes 192.168.0.0/24. So traffic returning from 192.168.10.0/24 and 192.168.60.0/24 to vpn clients would be natted, and that might break things. You should try adding :
access-list vpn_clients permit ip 192.168.10.0 255.255.255.0 192.168.7.0 255.255.255.0
to your config, and then have a vpn test user try accessing resources on the 192.168.10.0 network. If that works, then you will need to add additional lines to the vpn_clients ACL to disable nat selectively
when I entered the nat 0 access-list no_nat, I get this message:"access-list protocol or port will not be used". sh ru display the command
yes, they share interfaces in the same subnet(192.168.0.0/24) and the router's default gateway is the pix's inside_if.
I can see the all other subnets with sh route on pix via rip.
from the vpn clients, I can only access (192.168.0.0/24).