Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

no xlate for vpn client

I have vpn clients set up here. The vpn clients have no problem of getting to the internal network. Internal network is working fine. However, I noticed that my vpn clients are unable to browse the internet. The error message is that there is no xlate.

I have the entire internal network nat, which includes the vpn pool.

What do I need to add for the vpn clients be able to browse the net when they vpn in?

Thank you.


Re: no xlate for vpn client

If the VPN sessions are terminated on a Pix's interface that also serves as the interface for its default route, you cannot do this. The Pix does not allow the packet to enter and leave on the same interface.

You can enable split-tunneling for the client so that they do not send traffic to the Pix accept for what it protects behind it. Or you can use another interfaceon the Pix to terminate the VPNs that is not the default-route interface. This allows packets from VPN clients to enter one interface and exit on another as necessary.

New Member

Re: no xlate for vpn client

I have already enable split-tunnel.

access-list splitTunnelAcl permit ip any any

Do I need to specify more on the split tunnel?


Re: no xlate for vpn client

You "enabled" the feature, but you're telling your clients to send everything to you with the "any any" which functionally is the same as no split-tunnel feature. Make the ACL more specific. If you're inside network is, for example, your split-tunnel ACL would look like this:

access-list splutTunnelAcl permit ip any

Any Permit statement is allowed traffic on the tunnel while a Deny means don't send the traffic to the VPN gateway. Anything that is denied is not tunneled and sent out the client's "normal" default gateway and thus not to your Pix.

New Member

Re: no xlate for vpn client

Thanks. I will try it.

CreatePlease to create content