Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

No internet when VPN is up

I solved one problem from the discussion "Static NAT on PIX 501 help", but now I have no internet connectivity when that tunnel comes up.  I have attached my current PIX 501 config.  Any suggestions would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: No internet when VPN is up

Try replacing:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

with

access-list PAT permit ip 192.168.1.0 255.255.255.0 any

nat (inside) 1 access-list PAT

my thinking here is that once you start with policy NAT, all your NAT must work that way... I'm not truly sure it'll work, but I think it's worth a shot.

It wont break the static NAT because that is processed ahead of the NAT statement.

12 REPLIES
Bronze

Re: No internet when VPN is up


Hi,


I have reviewed the configuration and it appears good to me. As per your post it seems to me that post addition of static command VPN started working fine but you lost internet connectivity on PIX. I would suggest you following :-


1. Terminate the VPN by running "clear crypto ipsec sa"

2. Then to clear the existing translation please run command "clear xlate"

3. Initiate the internet traffic following by VPN tuneel initiation by pinging remote destination 192.168.27.x


Let me know how it goes.


Note :


A. Step 1 is optional but still i would request you to terminate the tunnel.

B. Step 2 is recommended on PIX 6.3 . Please refer :-


www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1084248



HTH...



Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
Community Member

Re: No internet when VPN is up

Ahh, let me clarify my problem, I don't think I expressed it correctly.

When I say "no internet" I am referring to general internet traffic, such as www.cisco.com from a browser.  The internet traffic works fine until the VPN tunnel comes up, then the internet no longer works.  But the VPN works fine, I can pass traffic in the tunnel no problem.

So, for example, if I start a ping to www.cisco.com, then I do another ping to 192.168.27.1 (which will initiate the VPN tunnel), the ping to www.cisco.com suddenly stops working, but I can fully use the VPN.

The commands you mentioned allow me to bring down the VPN tunnel just fine, and I can then again use the internet.

Thanks for your help with this.

Community Member

Re: No internet when VPN is up

My gut feeling is that it'll NAT causing you problems.

Are you getting errors in the log?

Bronze

Re: No internet when VPN is up


Hey Chris,


You explained your problem correctly and i did understand it in first place. I suspect there is some translation or Xlate issue on PIX. Thats why i have recommended the steps accordingly by stating that bringing the VPN tunnel down is just an optional step. What i want you to do is play with the NAT rule as suggested.

Try clearing the xlate .

Apply the policy NAT statement first and then apply the nat -global 1 rule on pix.



Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
Community Member

Re: No internet when VPN is up

When I clear xlate, the internet starts working, even with the VPN still up.  But as soon as I pass traffic over the VPN, the internet stops working.  I can get it back by simply doing a clear xlate.  I don't need to do a clear ipsec sa or clear isakmp sa.

I tried removing all the statements, clearing, adding them back in, clearing, but I still get the same results.

Community Member

Re: No internet when VPN is up

try adding a deny any any to the end of the ACL "chris-to-ocean-nat"

Community Member

Re: No internet when VPN is up

try nat 0 by adding same acl with different name of your vpn traffic then try split tunneling

Community Member

Re: No internet when VPN is up

"try nat 0 by adding same acl with different name of your vpn traffic then try split tunneling"

I don't think that'll do any good, from what I can see of the config he needs to do some translation as the original source subnet probably isn't valid on the peer device.

Community Member

Re: No internet when VPN is up

Thanks for all your suggestions.  For what it's worth, I have attached the configuration of the other PIX.

Community Member

Re: No internet when VPN is up

can you give us the output of show xlate?

take a copy immediately after clearing xlate, but before you send traffic over the tunnel, and then another after Internet access stops working.

Community Member

Re: No internet when VPN is up

I have attached the output from the sh xlate command before and after internet access stops working.

Community Member

Re: No internet when VPN is up

Try replacing:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

with

access-list PAT permit ip 192.168.1.0 255.255.255.0 any

nat (inside) 1 access-list PAT

my thinking here is that once you start with policy NAT, all your NAT must work that way... I'm not truly sure it'll work, but I think it's worth a shot.

It wont break the static NAT because that is processed ahead of the NAT statement.

545
Views
0
Helpful
12
Replies
CreatePlease to create content