I have vpn clients set up here. The vpn clients have no problem of getting to the internal network. Internal network is working fine. However, I noticed that my vpn clients are unable to browse the internet. The error message is that there is no xlate.
I have the entire internal network nat, which includes the vpn pool.
What do I need to add for the vpn clients be able to browse the net when they vpn in?
If the VPN sessions are terminated on a Pix's interface that also serves as the interface for its default route, you cannot do this. The Pix does not allow the packet to enter and leave on the same interface.
You can enable split-tunneling for the client so that they do not send traffic to the Pix accept for what it protects behind it. Or you can use another interfaceon the Pix to terminate the VPNs that is not the default-route interface. This allows packets from VPN clients to enter one interface and exit on another as necessary.
You "enabled" the feature, but you're telling your clients to send everything to you with the "any any" which functionally is the same as no split-tunnel feature. Make the ACL more specific. If you're inside network is 192.168.1.0/24, for example, your split-tunnel ACL would look like this:
access-list splutTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
Any Permit statement is allowed traffic on the tunnel while a Deny means don't send the traffic to the VPN gateway. Anything that is denied is not tunneled and sent out the client's "normal" default gateway and thus not to your Pix.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :