Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Can't access Internet through VPN Connection

Hi,

We have 515 PIX running 6.3

We configured the device for PPTP VPN. When users connect they are able to access our intranet, however they are unable to access the internet. Any pointers or suggestions would be appreciated!

Attached is our PIX configuration

Thanks!

2 REPLIES
New Member

Re: Can't access Internet through VPN Connection

The problem probably is that you are running 6.3 for your FOS on a PIX. (I admit I didn't look at your config, given I just finished 3 hours wrestling with this myself).

That version of FOS on a Pix will not allow traffic to exit on an interface with equal or higher security. I.e. you are terminating your VPN onthe outside interface (thats where your pool is), and thats where your internet traffic wants to go. Problem is that security wise, thats a bridge, so the pix disallows the traffic.

From what I can tell the recommended solution is to upgrade to 7 if you have enough RAM (128 MB for a 515E fully loaded). In version 7 there is a command "same-security-traffic permit intra-interface" that you can do to move traffic back the way it came, especially VPN traffic.

Its what I did: upgraded, and redid my VPN and firewall rules "new style".

The actual upgrade took me less than an hour from the CCO download to the reload after the conversion, and the extra config work added about an hour so far (Mainly syntax differences I have to unlearn).

FOS 7 has a LOT of changes - its a lot more IOS-like, which means I can stop tripping over config modes, etc.

HTH, good luck!

New Member

Re: Can't access Internet through VPN Connection

Think I had a similar problem with our Pix's and what it's related to is the stateful security that is provided by the Pix.

I'm assuming the inside users are able to access the internet fine and the name resolution is working for both inside and pptp clients.

Then it could that the Pix is not able to route traffic in and out the same interface (Doing stateful sec). This effectively is not allowing the clients to come in through the outside interface and the out again to access the internet.

There are several ways to rectify this but would suggest you look at split tunneling so that the clients are able to access the internet via their local connection and not via the VPN connection.

However what we found for our particular environment was that we replaced the Pix’s with Routers

Hope this is helpful

253
Views
0
Helpful
2
Replies
CreatePlease to create content