PIX 501 do you know this...?

rgrcommo · ‎05-09-2002

PIX 501---

I have hosts (6) of them right off the inside interface, I got one host that has an ip of 192.168.30.10 I want this host to be able to reach the outside i.e. internet.

I also have clients on the outside who access the 192.168.30.10 via Cisco VPN client 3000 - This works fine.. The outside can access the hosts inside fine via VPN Cisco client3000.

NOW.. I can not from the hosts inside (192.168.30.10) access the internet - how do I do this??? I have tried everything.. the nat (inside) 1 0.0.0.0 0.0.0.0 the global cmd but the inside host still can not get outside.

When I do a debug packet ouside it looks as if the packets are encrypted..

anybody know how to make this work??

-jeff

mmellet · ‎05-15-2002

It looks like your IPSEC access-list is telling the PIX to encrypt all traffic from that host and send it through the tunnel when in fact you only want to encrypt traffic to the specific destination host/network. Have TAC work over your access list and you should be fine.

wiccisco · ‎05-29-2002

He is refering to your access list used on your crypto map statement.

access-list IPsecAL permit ip any 172.16.4.0 255.255.255.0

crypto map yourmap 136 match address IPsecAL

Not the ANY on the access-list statement sends all traffic from inside your network through the tunnel. Iimit it to only the traffic going back to your outside tunnel.