11-06-2007 12:36 PM - edited 02-21-2020 03:21 PM
I can connect to my VPN from home and access exchange, network shares, ect however, when I open up a webpage or do anything that needs and outside ip I cant get out. As soon as I disconnect VPN client web pages work great. Any suggestions?
Cisco PIX Firewall Version 6.3(3)
Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
thanks in advance.....Mike
Solved! Go to Solution.
11-07-2007 09:16 AM
I would try using a different acl for your split tunnel, it's always good practice to separate your acls.
vpngroup touavpn split-tunnel 102
access-list 102 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 102 permit ip 10.10.101.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 102 permit ip 10.10.14.0 255.255.255.0 10.10.15.0 255.255.255.0
I would also get rid of this as you don't need it...
no access-list 101 permit ip 10.10.15.0 255.255.255.0 10.10.12.0 255.255.255.0
11-06-2007 12:46 PM
Mike,
You will have to set up split tunneling on the pix.
access-list SPLIT-TUNNEL permit ip x.x.x.x
vpngroup
x.x.x.x = your network inside pix which you want to tunnel to.
y.y.y.y = your vpn client subnet
Doing this will allow you to vpn to the network inside the pix, but all other traffic will not be part of the vpn.
11-07-2007 07:57 AM
Hi, I think I already have these statements in my config:
access-list 101 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0
vpngroup touavpn split-tunnel 101
These were taken from the startup-config
10.10.12.0 inside address and 10.10.15.0 our VPN address.
Another thing that I noticed when I was connected from home was:
ip address - 10.10.15.2
subnet mask - 255.0.0.0
default gateway - 10.10.15.2
seems to me that the default gateway shouldn't be the same as my IP address.
Our VPN worked fine. One of out engineers had moved this config file from another PIX. The old PIX was a 515E and this current one is a 515. We used the same config and everything has been ok with the exception of VPN.
thanks - mike
11-07-2007 08:07 AM
mike,
The ip addresses you noticed when connected from home are normal.
Do you want to post a sanitized config?
11-07-2007 09:09 AM
11-07-2007 09:16 AM
I would try using a different acl for your split tunnel, it's always good practice to separate your acls.
vpngroup touavpn split-tunnel 102
access-list 102 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 102 permit ip 10.10.101.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 102 permit ip 10.10.14.0 255.255.255.0 10.10.15.0 255.255.255.0
I would also get rid of this as you don't need it...
no access-list 101 permit ip 10.10.15.0 255.255.255.0 10.10.12.0 255.255.255.0
11-07-2007 08:21 PM
Added ACL's as recommended and changed split tunnel to 102 as recommend. Works great.
appreciate the help!
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide