I have been able to route to second interface (inf2) from inside LAN. remote VPN Clients are in same subnet and can access internal resources, access internet with split tunnel, but unable to contact anything on inf2.
I have tried adding static routes, also removed split_tunnel -but to no avail.
PIX Version 7.2(2)
!
hostname LSPFWDSL
domain-name xxxxxxx.com.au
enable password <removed>
names
.........
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.0.5 255.255.255.0
ospf cost 10
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.1.11.7 255.255.255.0
ospf cost 10
rip send version 2
!
interface Ethernet2
nameif intf2
security-level 4
ip address dhcp setroute
ospf cost 10
rip send version 2
!
passwd <removed>
!
time-range Daytime-Workweek
periodic Monday 14:00 to Friday 17:30
periodic Monday 17:30 to Friday 13:00
!
time-range PohTime
absolute start 09:30 04 October 2007 end 17:00 04 October 2007
!
time-range war
periodic Monday 16:51 to Friday 17:39
periodic daily 13:00 to 13:30
periodic daily 10:00 to 10:29
periodic daily 11:00 to 11:30
periodic daily 12:00 to 12:30
periodic daily 9:00 to 9:29
!
boot system flash:/image.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup outside
dns domain-lookup intf2
dns server-group DefaultDNS
domain-name lspcoms.com.au
........
access-list lsp_splitTunnelAcl standard permit VPNACCESS 255.255.255.0
access-list lsp_splitTunnelAcl standard permit SecondIntranet 255.255.0.0
access-list intf2_nat0_outbound extended permit ip VPNACCESS 255.255.255.0 VPNACCESS 255.255.255.0
access-list intf2_nat0_outbound extended permit ip SecondIntranet 255.255.0.0 VPNACCESS 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm notifications
logging device-id hostname
logging host inside gcost
logging host inside syslog
mtu outside 1400
mtu inside 1500
mtu intf2 1500
ip local pool remotepool2 192.1.11.145-192.1.11.146
ip local pool SoftPhonePool 192.1.11.108-192.1.11.109
ip local pool vpnpool 192.1.11.112-192.1.11.139
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name infodrop info action alarm drop reset
ip audit name attachlog attack action alarm
ip audit name dropandlog attack action alarm drop reset
ip audit interface outside dropandlog
ip audit interface inside attachlog
ip audit signature 1000 disable
ip audit signature 1001 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 6050 disable
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 ExchangeSrv
global (intf2) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (intf2) 0 access-list intf2_nat0_outbound
static (inside,outside) ExchgeStaticMap ExchangeSrv netmask 255.255.255.255
static (inside,outside) 10.0.0.86 VDCBOX netmask 255.255.255.255 dns
static (inside,outside) 10.0.0.87 LSPCRM netmask 255.255.255.255
static (inside,outside) 10.0.0.20 VOIPSignalling netmask 255.255.255.255
static (inside,outside) 10.0.0.88 PBX7400MCP netmask 255.255.255.255
static (inside,outside) 10.0.0.89 PBX7400MGI netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group intf2_access_in in interface intf2
route outside 0.0.0.0 0.0.0.0 LSPRouter 1
route inside 192.168.60.0 255.255.255.0 192.1.11.1 1
route intf2 SecondIntranet 255.255.0.0 172.24.40.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 192.1.11.77 192.1.11.2
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list value lspryanmehlhopt_splitTunne
lAcl
default-domain value lspcoms.com.au
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
disable
user-authentication disable
user-authentication-idle-t
imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
group-policy LSPVPN internal
group-policy LSPVPN attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LSPVPN_splitTunnelAcl
default-domain value lspcoms.com.au
....
http server enable
http gcost 255.255.255.255 inside
http RaysNotebook 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
sysopt connection tcpmss 1360
sysopt noproxyarp inside
service internal
service resetinbound
service resetoutside
...
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint LSPCRL
enrollment self
serial-number
crl configure
crypto ca certificate chain LSPCRL
certificate 31
....
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 60
....
tunnel-group lsp type ipsec-ra
tunnel-group lsp general-attributes
address-pool vpnpool
default-group-policy lsp
tunnel-group lsp ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tftp-server inside xxxx /InternetPIX
smtp-server 192.1.11.2
prompt hostname context
: end
Start Free Trial
