VPN
--
Questions
--
Followers
Top Experts
Local Lan Access Cisco Pix 501 with VPN client 3.5.3
We have a Pix 501 setup and we can access our local lan and the internet. Â We have split tunneling setup. Â It appears to work fine from a dial up connection where you have a public IP assigned to your laptop interface, but when we try this from a dsl connections with private addressing ie 10.x.x.x we are not able to connect to the network behind the VPN device. Â We can connect to the VPN and access the local lan and internet but not the network behind the VPN. Â IPSEC passthrough is enabled. Â Also on the VPN client, how do you get the local lans to appear in the local lan windows?
Here is a copy of the config
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password GSYgRus3ETC9HDz7 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name kyinteractive.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service RDP tcp-udp
 port-object range 3389 3389
access-list inside_outbound_nat0_acl permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.129.0 255.255.255.192
access-list kii_splitTunnelAcl_1 permit ip host 192.168.128.101 any
access-list kii_splitTunnelAcl_1 permit ip host 192.168.128.102 any
access-list kii_splitTunnelAcl_1 permit ip host 192.168.128.200 any
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 192.168.128.101
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.128.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool kii 192.168.129.1-192.168.129.
pdm location 192.168.128.0 255.255.255.0 inside
pdm location 192.168.129.0 255.255.255.0 inside
pdm location 192.168.128.101 255.255.255.255 inside
pdm location 68.16.187.163 255.255.255.255 outside
pdm location 192.168.128.102 255.255.255.255 inside
pdm location 192.168.128.0 255.255.255.0 outside
pdm location 192.168.129.0 255.255.255.0 outside
pdm location 192.168.129.0 255.255.255.224 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 192.168.128.0 255.255.255.0 inside
http 192.168.129.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup kii address-pool kii
vpngroup kii dns-server 192.168.128.101 63.165.123.142
vpngroup kii wins-server 192.168.128.101
vpngroup kii default-domain kii.local
vpngroup kii split-tunnel kii_splitTunnelAcl_1
vpngroup kii split-dns kii.local companyweb kiidc
vpngroup kii idle-time 1800
vpngroup kii password ********
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname interack@bellsouth.net
vpdn group pppoe_group ppp authentication pap
vpdn username interack@bellsouth.net password ********* store-local
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username traci password Eq2K5RicypMCozTO encrypted privilege 15
username aford password DfcCorRNHHc2PUxK encrypted privilege 15
username plemaster password .fptDMEDotyRx6JV encrypted privilege 15
terminal width 80
Cryptochecksum:6953b0c7c61
: end
Here is a copy of the config
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password GSYgRus3ETC9HDz7 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name kyinteractive.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service RDP tcp-udp
 port-object range 3389 3389
access-list inside_outbound_nat0_acl permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.129.0 255.255.255.192
access-list kii_splitTunnelAcl_1 permit ip host 192.168.128.101 any
access-list kii_splitTunnelAcl_1 permit ip host 192.168.128.102 any
access-list kii_splitTunnelAcl_1 permit ip host 192.168.128.200 any
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 192.168.128.101
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.128.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool kii 192.168.129.1-192.168.129.
pdm location 192.168.128.0 255.255.255.0 inside
pdm location 192.168.129.0 255.255.255.0 inside
pdm location 192.168.128.101 255.255.255.255 inside
pdm location 68.16.187.163 255.255.255.255 outside
pdm location 192.168.128.102 255.255.255.255 inside
pdm location 192.168.128.0 255.255.255.0 outside
pdm location 192.168.129.0 255.255.255.0 outside
pdm location 192.168.129.0 255.255.255.224 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 192.168.128.0 255.255.255.0 inside
http 192.168.129.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup kii address-pool kii
vpngroup kii dns-server 192.168.128.101 63.165.123.142
vpngroup kii wins-server 192.168.128.101
vpngroup kii default-domain kii.local
vpngroup kii split-tunnel kii_splitTunnelAcl_1
vpngroup kii split-dns kii.local companyweb kiidc
vpngroup kii idle-time 1800
vpngroup kii password ********
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname interack@bellsouth.net
vpdn group pppoe_group ppp authentication pap
vpdn username interack@bellsouth.net password ********* store-local
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username traci password Eq2K5RicypMCozTO encrypted privilege 15
username aford password DfcCorRNHHc2PUxK encrypted privilege 15
username plemaster password .fptDMEDotyRx6JV encrypted privilege 15
terminal width 80
Cryptochecksum:6953b0c7c61
: end
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Yes we had tried both of these.  From a dial up connection with a  they work perfectly, but from a private ip behind a broadband connection they do not.  We have tried this at three different sites.  It has to be a configuration issue where somehow the translation from private to public to public to private is not working.  It will work from public to public to private.  One thing I am not sure about, Our Cisco Pix 501 is configured with pppoe on the translation is configured as PAT using the IP address of the interace.  I tried using just PAT but received an error 163.187.16.68-163.187.16.8
Since you have PPPoE, there is a tiny extra overhead which could cause packet fragmentation.
On the client end, have them use the SetMTU utility that comes with the VPN Client and set their MTU to 1300
On the client end, have them use the SetMTU utility that comes with the VPN Client and set their MTU to 1300
Thanks for the tip. Â Made the changes but still no connections.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Well I finally figured out the issue with with a little help from my boss and a couple of other web sites. Â We had it configured correctly all along. Â The issue was that we all had the SecuRemote VPN clients installed as well as the Cisco VPN clients and it appears on knowledge bases on Checkpoint and Cisco that the clients do not play well together at all. Â The work around is to disable either the Deterministic Network Enhancer or the Check Point SecuRemote in the local area connections properties. Â Finally!!!
Hello,
I am having the exact same problem. I use CISCO VPN Client 3.5.4 (REL) and from my DSL connections no local LAN access. Works fine from a notebook and dialup internet.
I have tried disabling the Deterministic Netowrk Enhancer on the remote workstation but it does not allow me to use the VPN client with it disabled.
I get this message once I connect:
Either there is no default mail client of the current mail client cannot fulfill the nessagiung request. Please run Microsoft Outlook and set it as the default mail client.
What else could it be?
Thanks,
Rob
I am having the exact same problem. I use CISCO VPN Client 3.5.4 (REL) and from my DSL connections no local LAN access. Works fine from a notebook and dialup internet.
I have tried disabling the Deterministic Netowrk Enhancer on the remote workstation but it does not allow me to use the VPN client with it disabled.
I get this message once I connect:
Either there is no default mail client of the current mail client cannot fulfill the nessagiung request. Please run Microsoft Outlook and set it as the default mail client.
What else could it be?
Thanks,
Rob
I did have the issue with no local lan, but we have fixed that problem. Â We had Check Point's SecureClient installed also. Â If we disable the Check Point SecureClient in the local area connections the Cisco VPN client works fine from my DSL connection on a 10.x.x.x network and I can access my local lan and the remote lan and the internet.
If you are having trouble with yours try the following:
Make sure the VPN IP pool is setup on a different IP range than your remote network.
For example:
the network address at your office is 192.168.128.0
make the VPN pool 192.168.129.0
ensure split tunneling is on and to test make single entries like for a server on your network 192.168.128.1 255.255.255.255
make sure to enable split DNS also if you want to use DNS entries from the remote network.
If you are using anything below 4.01 for Cisco the allow local lan does nothing, this is all configured on the PIX itself.
If you are having trouble with yours try the following:
Make sure the VPN IP pool is setup on a different IP range than your remote network.
For example:
the network address at your office is 192.168.128.0
make the VPN pool 192.168.129.0
ensure split tunneling is on and to test make single entries like for a server on your network 192.168.128.1 255.255.255.255
make sure to enable split DNS also if you want to use DNS entries from the remote network.
If you are using anything below 4.01 for Cisco the allow local lan does nothing, this is all configured on the PIX itself.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
I have added "split DNS" my dns server on my local lan but still nothing. I can connect to the PIX no worries but can't see or ping any device on the remote lan.
From a notebook and dialup internet access it work perfectly. The same Cisco client and the same settings? What is going on to stop my DSL connection from seeing the remote lan.
I am behind a FreeBSD Firewall. Could this effect it?
Thanks,
Rob
From a notebook and dialup internet access it work perfectly. The same Cisco client and the same settings? What is going on to stop my DSL connection from seeing the remote lan.
I am behind a FreeBSD Firewall. Could this effect it?
Thanks,
Rob
If you are not able to connect to your remote lan you need to add the split_tunnel as well. Â If you are trying to connect to a server on teh remote lan you have to add it as follows.
192.168.1.1 255.255.255.255 Â this is for a single node
or for a net work
192.168.1.0 255.255.255.0
make sure this vpn ip pool is on a different subnet than your remote lan.
192.168.1.1 255.255.255.255 Â this is for a single node
or for a net work
192.168.1.0 255.255.255.0
make sure this vpn ip pool is on a different subnet than your remote lan.
Ok.
Here what I have done:
My remote network IP's are 192.168.0.x 255.255.255.0
My VPN client is behind a firewall on a network 192.168.0.x 255.255.255.0
My PIX is setup with the VPN pool of 192.168.220.x 255.255.255.255
Under the split tunneling I have setup: 192.168.1.1 255.255.255.255
Under DNS I have added the remoted DNS which is an internal windows 2000 DNS.
I have also added the primary DNS and WINS and domain to the pool. For my remote network.
Is that correct
Thanks,
Rob
Here what I have done:
My remote network IP's are 192.168.0.x 255.255.255.0
My VPN client is behind a firewall on a network 192.168.0.x 255.255.255.0
My PIX is setup with the VPN pool of 192.168.220.x 255.255.255.255
Under the split tunneling I have setup: 192.168.1.1 255.255.255.255
Under DNS I have added the remoted DNS which is an internal windows 2000 DNS.
I have also added the primary DNS and WINS and domain to the pool. For my remote network.
Is that correct
Thanks,
Rob
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
On My VPN Client the details say:
Authentication: HMAC-SHA
Transparent Tunneling: Inactive
Tunnel Port 0
Compression: None
Local LAN Access: Disabled
???
I have tried changing the Split tunneling entry to: 192.168.0.0 and 192.168.0.1 still nothing?? I'm lost :(
Authentication: HMAC-SHA
Transparent Tunneling: Inactive
Tunnel Port 0
Compression: None
Local LAN Access: Disabled
???
I have tried changing the Split tunneling entry to: 192.168.0.0 and 192.168.0.1 still nothing?? I'm lost :(
I have the same problem...
VPN 4.01 ---> PIX1---> Internet ---> PIX2---> Destination network servers, etc...
I connect to the outside of PIX2, but have the inactive tunnel issue = no traffic can flow
Ideas?
I've yet to gain access to PIX2...I think IT must be the problem...
One thing that may help robbo007 is to upgrade to 6.3(3) and enable NAT-T (isakmp nat-t)
-Skip
VPN 4.01 ---> PIX1---> Internet ---> PIX2---> Destination network servers, etc...
I connect to the outside of PIX2, but have the inactive tunnel issue = no traffic can flow
Ideas?
I've yet to gain access to PIX2...I think IT must be the problem...
One thing that may help robbo007 is to upgrade to 6.3(3) and enable NAT-T (isakmp nat-t)
-Skip
Here is an example of a working PIX 501. Â There are www, smtp, rdp services on the same internal server. Â Client users using Cisco VPN 3.6 have access to the remote server and network and their local lan as well.
But we are going form VPN 3.6 ---> Linksys---->Internet---->P
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname xxxxxxxxxxxx
domain-name xxxxxxxxxxx.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service RDP tcp-udp
 port-object range 3389 3389
access-list inside_outbound_nat0_acl permit ip 192.168.128.0 255.255.255.0 192.1
68.129.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.128.0 255.255.255.0 192.1
68.129.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.129.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.129.0 255.255.255.0
access-list kii_splitTunnelAcl permit ip host 192.168.128.101 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.129.0 255.255.255.0
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq https
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 192.168.128.101
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.128.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool kii 192.168.129.100-192.168.12
pdm location 192.168.128.0 255.255.255.0 inside
pdm location 192.168.129.0 255.255.255.0 inside
pdm location 192.168.128.101 255.255.255.255 inside
pdm location xx.xx.xxx.xxx 255.255.255.255 outside ***** the xx.xx.xxx.xxx.would be your public IP
pdm location 192.168.128.102 255.255.255.255 inside
pdm location 192.168.128.0 255.255.255.0 outside
pdm location 192.168.129.0 255.255.255.0 outside
pdm location 192.168.129.0 255.255.255.224 outside
pdm location 192.168.129.0 255.255.255.192 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 3 interface
global (inside) 2 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 3 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.128.101 www netmask 255.255.25
5.255 0 0
static (inside,outside) tcp interface smtp 192.168.128.101 smtp netmask 255.255.
255.255 0 0
static (inside,outside) tcp interface 3389 192.168.128.101 3389 netmask 255.255.
255.255 0 0
static (inside,outside) tcp interface https 192.168.128.101 https netmask 255.25
5.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 192.168.128.0 255.255.255.0 inside
http 192.168.129.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup kii address-pool kii
vpngroup kii dns-server 192.168.128.101 63.165.123.142
vpngroup kii wins-server 192.168.128.101
vpngroup kii default-domain xx.local
vpngroup kii split-tunnel kii_splitTunnelAcl
vpngroup kii split-dns xx.local
vpngroup kii idle-time 1800
vpngroup kii password ********
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxxx@xxxxxxxx.com
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxxx@xxxxxxxx.com password ********* store-local
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username xxxxx password xxxxxxxxx encrypted privilege 15
username xxxxx password xxxxxxxxx encrypted privilege 15
username xxxxx password xxxxxxxxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxxxxxxxxxx
: end
But we are going form VPN 3.6 ---> Linksys---->Internet---->P
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname xxxxxxxxxxxx
domain-name xxxxxxxxxxx.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service RDP tcp-udp
 port-object range 3389 3389
access-list inside_outbound_nat0_acl permit ip 192.168.128.0 255.255.255.0 192.1
68.129.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.128.0 255.255.255.0 192.1
68.129.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.129.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.129.0 255.255.255.0
access-list kii_splitTunnelAcl permit ip host 192.168.128.101 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.129.0 255.255.255.0
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq https
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 192.168.128.101
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.128.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool kii 192.168.129.100-192.168.12
pdm location 192.168.128.0 255.255.255.0 inside
pdm location 192.168.129.0 255.255.255.0 inside
pdm location 192.168.128.101 255.255.255.255 inside
pdm location xx.xx.xxx.xxx 255.255.255.255 outside ***** the xx.xx.xxx.xxx.would be your public IP
pdm location 192.168.128.102 255.255.255.255 inside
pdm location 192.168.128.0 255.255.255.0 outside
pdm location 192.168.129.0 255.255.255.0 outside
pdm location 192.168.129.0 255.255.255.224 outside
pdm location 192.168.129.0 255.255.255.192 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 3 interface
global (inside) 2 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 3 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.128.101 www netmask 255.255.25
5.255 0 0
static (inside,outside) tcp interface smtp 192.168.128.101 smtp netmask 255.255.
255.255 0 0
static (inside,outside) tcp interface 3389 192.168.128.101 3389 netmask 255.255.
255.255 0 0
static (inside,outside) tcp interface https 192.168.128.101 https netmask 255.25
5.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 192.168.128.0 255.255.255.0 inside
http 192.168.129.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup kii address-pool kii
vpngroup kii dns-server 192.168.128.101 63.165.123.142
vpngroup kii wins-server 192.168.128.101
vpngroup kii default-domain xx.local
vpngroup kii split-tunnel kii_splitTunnelAcl
vpngroup kii split-dns xx.local
vpngroup kii idle-time 1800
vpngroup kii password ********
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxxx@xxxxxxxx.com
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxxx@xxxxxxxx.com password ********* store-local
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username xxxxx password xxxxxxxxx encrypted privilege 15
username xxxxx password xxxxxxxxx encrypted privilege 15
username xxxxx password xxxxxxxxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxxxxxxxxxx
: end
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Hello.
Just a quick question to clarify all this.
If my remote network has an internal IP range of 192.168.0.x and my PC connectiong to the remote network is behind a FreeBSD Firewall and on a LAN with using an IP range of 192.168.0.x, but my PIX assigned IP pool is 192.168.220.x, would this work? Or would this conflict and not allow me to have local LAN access on the remote site?
Or do you have to have differnt IP ranges for your remote and local LANS?
At present I connect like this:
Windows 2000 CISCO VPN Client  ===> Hub ===> FreeBSD Firewall ===> 3Com Router 816 ===> Internet ===> PIX 501 ===> Switch ===> Remote office LAN
Just a quick question to clarify all this.
If my remote network has an internal IP range of 192.168.0.x and my PC connectiong to the remote network is behind a FreeBSD Firewall and on a LAN with using an IP range of 192.168.0.x, but my PIX assigned IP pool is 192.168.220.x, would this work? Or would this conflict and not allow me to have local LAN access on the remote site?
Or do you have to have differnt IP ranges for your remote and local LANS?
At present I connect like this:
Windows 2000 CISCO VPN Client  ===> Hub ===> FreeBSD Firewall ===> 3Com Router 816 ===> Internet ===> PIX 501 ===> Switch ===> Remote office LAN
VPN
--
Questions
--
Followers
Top Experts
A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.