Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Problems

I can vpn in just fine. The IP address that I pull is 192.168.1.200 so thats right. What is happening though is after I connect I lose all internet and I can't see anybody on my local lan or on the lan that I have vpn into. Our DNS server is also our DHCP server and our local lan is the same IP range that the VPN lan I am connecting to is. I don't know if that is the problem or not. After I connect I still can't see either network. Can you please help?

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside

security100

enable password xxx

encrypted

passwd xxxx

encrypted

hostname pixfirewall

domain-name

ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_outbound_nat0_acl permit ip any 192.168.1.200 255.255.255.248

access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.200 255.255.255.248

access-list outside_access_in permit icmp a

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute retry 4

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool CWS 192.168.1.200-192.168.1.205

pdm location 192.168.1.0

255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup CWS address-pool CWS

vpngroup CWS dns-server 192.168.1.2 64.193.208.5

vpngroup CWS default-domain CWS

vpngroup CWS idle-time 1800

vpngroup CWS password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxx

4 REPLIES
Silver

Re: VPN Problems

You will need to do split-tunneling. It will permit only the VPN traffic over the tunnel.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html

Re: VPN Problems

Thats right you could use the split tunnel option which would allow you to browse the Internet on the same time as you are connected to your VPN.

Security Risk !

But This could result that you can get hijacked and someone could enter into your corporate network via your VPN Client.

config example Split tunnel:

access-list SplitTunnelACL permit ip vpnpool-net 255.255.255.0 any

vpngroup VPNGroup split-tunnel SplitTunnelACL

Another way might be by installing a Proxy server on your corporate network which would allow you to access the Internet. You just need to add the proxy in your browser.

OpenSource Proxy = Squid (Linux)

Symantec offers also a free proxy server if you use their corporate products.

sincerely

Patrick

New Member

Re: VPN Problems

still can't connect to server on local lan and cannot connect to internet while in vpn connection.

Here is what my config looks like now. I changed the subnet for other reasons but the config should look somewhat the same execpt for the entrys that you recommended.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol smtp 1025

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit tcp any interface outside eq 3389

access-list outside_access_in permit icmp any any

access-list inside_outbound_nat0_acl permit ip any 10.168.1.192 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 10.168.1.192 255.255.255.224

access-list familyabuse_splitTunnelAcl permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute retry 4

ip address inside 10.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool familyabuse 10.168.1.201-10.168.1.210

pdm location 10.168.1.200 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3389 10.168.1.200 3389 netmask 255.255.255

.255 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup familyabuse address-pool familyabuse

vpngroup familyabuse dns-server 10.168.1.200 64.193.208.5

vpngroup familyabuse wins-server 10.168.1.200

vpngroup familyabuse default-domain familyabusecenter.org

vpngroup familyabuse split-tunnel familyabuse_splitTunnelAcl

vpngroup familyabuse idle-time 1800

vpngroup familyabuse password ********

telnet 10.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.168.1.2-10.168.1.199 inside

dhcpd dns 10.168.1.200 64.193.208.5

dhcpd wins 10.168.1.200

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain familyabusecenter.org

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:f572adca6d4e4cb22017653ce428ba67

: end

Silver

Re: VPN Problems

access-list familyabuse_splitTunnelAcl permit ip any any

This should specifically match traffic to your servers. Permit ip any any is as good as not having split tunneling ;-)

166
Views
0
Helpful
4
Replies
CreatePlease to create content