August 29, 2008 11:07pm pdt

1. batry_boy 96,525
2. dpk_wal 32,975
3. keith_ala... 32,645
4. lrmoore 29,925
5. Cyclops3... 17,600
6. MrMander... 14,225
7. Voltz-dk 13,750
8. PeteLong 12,700
9. MrHusy 11,000
10. mkielar 10,969
11. from_exp 10,000
12. arnold 5,501
13. bdeterding 5,500
14. raptorjb007 4,750
15. Qlemo 4,668
16. rsivanandan 4,500
16. uetian1707 4,500
18. billwharton 4,400
19. kanlue 4,200
20. grimkin 4,080
21. decoleur 4,000
21. btassure 4,000
21. RPPreacher 4,000
24. Halindar 3,900
25. feptias 3,500
25. SteveH_UK 3,500
25. tjd01 3,500
25. _jesper_ 3,500
25. nfmartins 3,500

1. lrmoore 1,552,023
2. keith_ala... 485,723
3. calvinetter 244,408
4. rsivanandan 223,488
5. tim_holman 196,866
6. nodisco 174,614
7. batry_boy 154,064
8. grblades 125,809
9. Voltz-dk 107,309
10. carribeant... 80,185
11. Cyclops3... 76,576
12. stressedo... 71,924
13. PeteLong 71,345
14. srikrishnak 60,096
15. harbor235 55,855
16. pruecons... 55,203
17. jjoseph_x 48,002
18. billwharton 44,427
19. td_miles 43,372
20. dpk_wal 43,275
21. RobWill 39,673
22. ruddg 38,389
23. JFrederic... 35,200
24. Bembi 32,114
25. Pentrix2 31,412

07.23.2008 at 02:58AM PDT, ID: 23587877

	[x] Attachment Details

PIX 501 VPN remote access - cannot reach internet / dns

Asked by WendellUrth in Cisco PIX Firewall, Virtual Private Networking (VPN), Enterprise Firewalls

Tags: Cisco, Pix, 501

Hi all,
I have a CISCO pix 501 setup at the office to provide firewall and VPN. Internet connection is working fine from Office- > Pix -> Internet.

I have been through the VPN wizard to enable remote access and enabled NAT traversal. This allows me to ping and remote desktop to hosts in my office, from home.

A number of our servers in datacenters are locked down to only allow connections from certain IPs - in this case the external address of the Pix 501 at our office. I need to be able to VPN from home and then access these servers securely. Therefore these servers must be accessed from the external IP address of the pix.

with the configuration below i CAN access internal hosts when VPN'd into the office, but i cannot browse the internet or ping hosts on the internet when VPN'd into the office.

Can someone be kind enough to advise me how i can configure this? Split tunnelling would not suffice as the traffic would not be coming from the office network!

I have more public ip addresses available if that would assist the configuration.

I have included my firewall config below with any company specific details, public IPS and passwords hashed out.

I have included my IP config output once connected to the VPN if that helps!!Start Free Trial

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:

           
           
             ip local pool xxxxxx_VPN 192.168.10.10-192.168.10.20
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xx.xxx.149.89 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL 
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxxxxx address-pool xxxxxx_VPN
vpngroup xxxxxx dns-server xx.xxx.230.10 xx.xxx.231.8
vpngroup xxxxxx idle-time 1800
vpngroup xxxxxx password xxxxxxx
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.2-10.0.0.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username testuser password xxxxxxxxxx encrypted privilege 15
terminal width 80
 
 
 
 
My ip config output:
 
 
Windows IP Configuration
 
        Host Name . . . . . . . . . . . . : xxxxxx
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
 
PPP adapter T-Mobile:
 
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.35.180.90
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 10.35.180.90
        DNS Servers . . . . . . . . . . . : 149.254.192.126
                                            149.254.201.126
        Primary WINS Server . . . . . . . : 10.11.12.13
        Secondary WINS Server . . . . . . : 10.11.12.14
        NetBIOS over Tcpip. . . . . . . . : Disabled
 
Ethernet adapter PUBLIC:
 
        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connect
ion
        Physical Address. . . . . . . . . : 00-13-72-1B-1B-24
 
Ethernet adapter Local Area Connection:
 
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.10.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.10
        DNS Servers . . . . . . . . . . . : xx.xxx.xxx.10
                                            xx.xxx.xxx.8
           
         

Keywords: PIX 501 VPN remote access - cann…

	Title
1	Pix to Pix VPN
2	Cisco PIX VPN and NAT
3	Creating VPN tunnel using DMZ port on …
4	VPN Problem with Cisco PIX 506e
5	Cisco PIX VPN --> Internet Problems
6	How to configure PIX 515E for VPN …

Loading Advertisement...

20080716-EE-VQP-32 / EE_QW_2_20070628

PIX 501 VPN remote access - cannot reach internet / dns

Asked by WendellUrth in Cisco PIX Firewall, Virtual Private Networking (VPN), Enterprise Firewalls

Tags: Cisco, Pix, 501

About this solution