Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't access the internet after establishing VPN

We have been using MS VPN client to access PIX 515 VPN for one year. It works. The only problem is when the VPN client establishes the VPN, it can't access the Internet until disconnecting the VPN. I believe that we can configure PIX to point the Internet but don’t know how. Can you help us?

Here are our configuration.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname cbgfirewall

domain-name chicagobotanic.org

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 10.0.0.8 cbgnt

name 10.0.0.1 cbgnet

name 10.0.0.11 bob

name 10.0.0.22 apps1

access-list 101 permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0

pager lines 24

logging on

logging history errors

interface ethernet0 100full

interface ethernet1 auto

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

ip address outside xxxx.xxx.35.194 255.255.255.224

ip address inside xxx.xx.0.2 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool xxx.xxx.1.1-192.168.1.254

pdm location cbgnet 255.255.255.255 inside

pdm location cbgnt 255.255.255.255 inside

pdm location bob 255.255.255.255 inside

pdm location apps1 255.255.255.255 inside

pdm logging critical 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x-210.x.35.221 netmask 255.255.255.224

global (outside) 1 x.x.35.222 netmask 255.255.255.224

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 210.32.35.195 cbgnt netmask 255.255.255.255 0 0

static (inside,outside) 210.32.35.196 cbgnet netmask 255.255.255.255 0 0

static (inside,outside) 210.32.35.198 apps1 netmask 255.255.255.255 0 0

static (inside,outside) 210.32.35.197 bob netmask 255.255.255.255 0 0

conduit permit tcp host 210.32.35.195 eq smtp any

conduit permit tcp host 210.32.35.195 eq pop3 any

conduit permit tcp host 210.32.35.196 eq https any

conduit permit tcp host 210.32.35.196 eq smtp any

conduit permit tcp host 210.32.35.196 eq pop3 any

conduit permit tcp host 210.32.35.196 eq www any

conduit permit tcp host 210.32.35.196 eq ftp any

conduit deny tcp host 210.32.35.194 eq 3283 any

conduit permit tcp host 210.32.35.198 eq www any

conduit deny tcp host 210.32.35.198 eq ftp any

conduit deny tcp host 210.32.35.198 eq smtp any

conduit deny tcp host 210.32.35.198 eq pop3 any

conduit permit tcp host 210.32.35.195 eq https any

conduit permit icmp any any echo-reply

conduit permit gre host 210.32.35.197 any

conduit permit tcp host 210.32.35.197 eq 1723 any

conduit permit tcp host 210.32.35.197 eq 5800 any

conduit permit tcp host 210.32.35.197 eq pcanywhere-data any

conduit permit tcp host 210.32.35.197 eq 5632 any

conduit permit tcp host 210.32.35.197 eq www any

outbound 10 permit cbgnet 255.255.0.0 80 tcp

apply (inside) 10 outgoing_src

route outside 0.0.0.0 0.0.0.0 210.32.35.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http bob 255.255.255.255 inside

http 10.0.0.0 255.255.0.0 inside

snmp-server host inside bob

snmp-server location cbgfirewall

snmp-server contact blin

snmp-server community public

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

telnet 10.0.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 128

vpdn group 1 client configuration address local bigpool

vpdn group 1 client configuration dns cbgnet

vpdn group 1 client configuration wins cbgnet

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username 194U password *********

vpdn username blin password *********

vpdn username setup password *********

vpdn enable outside

terminal width 80

10 REPLIES
New Member

Re: Can't access the internet after establishing VPN

Hi

Configure split tunneling.

Do this the easiest by using the PDM version 2 application to amend your config.

As you are using conduits, you have a bit of work to change them over to access lists.

If you need anything else just let me know.

Steve

New Member

Re: Can't access the internet after establishing VPN

Steve,

Thank you for the help. Is there another way to do this if we are using MS VPN only?

bob

New Member

Re: Can't access the internet after establishing VPN

New Member

Re: Can't access the internet after establishing VPN

Steve

I too have the same issue..Is there not away to enable PPTP tunnel users to browse the WEB at the Main Site...Can't we just allow the pool'd addresses the opportunity to NAT for an HTTP 80 session...

Silver

Re: Can't access the internet after establishing VPN

split tunnelling is the solution. or installing a web proxy on the corporate net that the vpn clients will use

New Member

Re: Can't access the internet after establishing VPN

hello Steve,

How do you configure the split tunnel with PDM ?. I cannot find where in the VPN wizard to do this.

and does it have to be a split tunnel ? is there no other way ?

Silver

Re: Can't access the internet after establishing VPN

vpngroup _namehere_ split-tunnel _acl_name_here

New Member

Re: Can't access the internet after establishing VPN

Hi blind,

If you're using MS VPN client you've got another option. You just have to unmark the option "use the default gateway on the remote site" on (TCP/IP properties of the MS VPN Client).

Once this option is unmarked, establish a connection to the PIX and you'll see that you also have access to the internet using your own connection.

The only thing left to do then is setting up a static route to the remote site's private LAN on the client computer.

Hope that's what you were looking for.

New Member

Re: Can't access the internet after establishing VPN

I have unchecked the box that you pointed out and now the vpn client can ping or access resources through the vpn. If I check the box again, I have access to resources and ping.

What do I need to provide to get that to work correctly? Have web functionallity and ccess resources through the vpn.

Thanks,

molinek

New Member

Re: Can't access the internet after establishing VPN

I too have run across this problem. Cisco does not support this functionality. You can however do a work around with the route command.

Have the user open a command prompt while connected to VPN. Put in the command "route delete 192.168.1.0 mask 255.255.255.0 192.168.10.64" Where 192.168.1.0 is the internal network IP range and subnet mask. Where the 192.168.10.64 is the IP of the users computer that the VPN group gave to it when connecting (vpdn group IP's). Cisco only supports IP ranges where the VPN group IP are different than the internal IP's.

Hope this helps

Jon

258
Views
5
Helpful
10
Replies
CreatePlease to create content