cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
763
Views
5
Helpful
8
Replies

Can't access the internet after establishing VPN

blin
Level 1
Level 1

We have been using MS VPN client to access PIX 515 VPN for one year. It works. The only problem is when the VPN client establishes the VPN, it can't access the Internet until disconnecting the VPN. I believe that we can configure PIX to point the Internet but don’t know how. Can you help us?

Here are our configuration.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname cbgfirewall

domain-name chicagobotanic.org

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 10.0.0.8 cbgnt

name 10.0.0.1 cbgnet

name 10.0.0.11 bob

name 10.0.0.22 apps1

access-list 101 permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0

pager lines 24

logging on

logging history errors

interface ethernet0 100full

interface ethernet1 auto

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

ip address outside xxxx.xxx.35.194 255.255.255.224

ip address inside xxx.xx.0.2 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool xxx.xxx.1.1-192.168.1.254

pdm location cbgnet 255.255.255.255 inside

pdm location cbgnt 255.255.255.255 inside

pdm location bob 255.255.255.255 inside

pdm location apps1 255.255.255.255 inside

pdm logging critical 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x-210.x.35.221 netmask 255.255.255.224

global (outside) 1 x.x.35.222 netmask 255.255.255.224

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 210.32.35.195 cbgnt netmask 255.255.255.255 0 0

static (inside,outside) 210.32.35.196 cbgnet netmask 255.255.255.255 0 0

static (inside,outside) 210.32.35.198 apps1 netmask 255.255.255.255 0 0

static (inside,outside) 210.32.35.197 bob netmask 255.255.255.255 0 0

conduit permit tcp host 210.32.35.195 eq smtp any

conduit permit tcp host 210.32.35.195 eq pop3 any

conduit permit tcp host 210.32.35.196 eq https any

conduit permit tcp host 210.32.35.196 eq smtp any

conduit permit tcp host 210.32.35.196 eq pop3 any

conduit permit tcp host 210.32.35.196 eq www any

conduit permit tcp host 210.32.35.196 eq ftp any

conduit deny tcp host 210.32.35.194 eq 3283 any

conduit permit tcp host 210.32.35.198 eq www any

conduit deny tcp host 210.32.35.198 eq ftp any

conduit deny tcp host 210.32.35.198 eq smtp any

conduit deny tcp host 210.32.35.198 eq pop3 any

conduit permit tcp host 210.32.35.195 eq https any

conduit permit icmp any any echo-reply

conduit permit gre host 210.32.35.197 any

conduit permit tcp host 210.32.35.197 eq 1723 any

conduit permit tcp host 210.32.35.197 eq 5800 any

conduit permit tcp host 210.32.35.197 eq pcanywhere-data any

conduit permit tcp host 210.32.35.197 eq 5632 any

conduit permit tcp host 210.32.35.197 eq www any

outbound 10 permit cbgnet 255.255.0.0 80 tcp

apply (inside) 10 outgoing_src

route outside 0.0.0.0 0.0.0.0 210.32.35.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http bob 255.255.255.255 inside

http 10.0.0.0 255.255.0.0 inside

snmp-server host inside bob

snmp-server location cbgfirewall

snmp-server contact blin

snmp-server community public

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

telnet 10.0.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 128

vpdn group 1 client configuration address local bigpool

vpdn group 1 client configuration dns cbgnet

vpdn group 1 client configuration wins cbgnet

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username 194U password *********

vpdn username blin password *********

vpdn username setup password *********

vpdn enable outside

terminal width 80

8 Replies 8

steve
Level 1
Level 1

Hi

Configure split tunneling.

Do this the easiest by using the PDM version 2 application to amend your config.

As you are using conduits, you have a bit of work to change them over to access lists.

If you need anything else just let me know.

Steve

Steve,

Thank you for the help. Is there another way to do this if we are using MS VPN only?

bob

Steve

I too have the same issue..Is there not away to enable PPTP tunnel users to browse the WEB at the Main Site...Can't we just allow the pool'd addresses the opportunity to NAT for an HTTP 80 session...

split tunnelling is the solution. or installing a web proxy on the corporate net that the vpn clients will use

pression2
Level 1
Level 1

Hi blind,

If you're using MS VPN client you've got another option. You just have to unmark the option "use the default gateway on the remote site" on (TCP/IP properties of the MS VPN Client).

Once this option is unmarked, establish a connection to the PIX and you'll see that you also have access to the internet using your own connection.

The only thing left to do then is setting up a static route to the remote site's private LAN on the client computer.

Hope that's what you were looking for.

I have unchecked the box that you pointed out and now the vpn client can ping or access resources through the vpn. If I check the box again, I have access to resources and ping.

What do I need to provide to get that to work correctly? Have web functionallity and ccess resources through the vpn.

Thanks,

molinek

jmaynard8
Level 1
Level 1

I too have run across this problem. Cisco does not support this functionality. You can however do a work around with the route command.

Have the user open a command prompt while connected to VPN. Put in the command "route delete 192.168.1.0 mask 255.255.255.0 192.168.10.64" Where 192.168.1.0 is the internal network IP range and subnet mask. Where the 192.168.10.64 is the IP of the users computer that the VPN group gave to it when connecting (vpdn group IP's). Cisco only supports IP ranges where the VPN group IP are different than the internal IP's.

Hope this helps

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: