Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can not access inside hosts over tunnel.

My setup:

Windows network <-> PIX 501 <-> cable modem <-> internet <-> vpn client.

I have set up split tunneling so my vpn user can browse the net whilst connected. That portion is working fine. However, the only host on the inside of the pix that the vpn can access is the machine that happens to be all-in-one radius server/wins server/dns server. I can access that system's file shares, but not any other box. The inside interface uses 192.168.0.0. The vpn client ip pool is 10.1.1.0.

I am not able to ping anyone except the above mentioned box.

Thanks for the help.

Chris Lincoln

  • Other Security Subjects
3 REPLIES
Gold

Re: Can not access inside hosts over tunnel.

just wondering if the default gateway for all windows network host is the pix501 inside interface.

also, have a read of the same codes below:

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list 101

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

ip local pool ippool 10.1.1.11-10.1.1.21

vpngroup vpnclient address-pool ippool

vpngroup vpnclient idle-time 1800

vpngroup vpnclient dns-server 139.130.4.4

vpngroup vpnclient password cisco456

vpngroup vpnclient split-tunnel 120

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap

username cisco password cisco123

aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond

if further assistance is needed, please post the config.

New Member

Re: Can not access inside hosts over tunnel.

jackko,

Thanks for the time.

>>just wondering if the default gateway for all windows network host is the pix501 inside interface.

Actually, no. Some of the inside hosts use a second pix501. I am not sure how/why it works the way it does, but it does. For what its worth, before I tried enabling split-tunnelling, I had everyone, including the vpnclient ip pool, on the 192.168.0.0 network. That worked, except split-tunnelling didn't.

Attached is my config. I hope I am not exposing my privates.

New Member

Re: Can not access inside hosts over tunnel.

Problem solved. I did not have the physical connection that I thought I had.

110
Views
0
Helpful
3
Replies