how can i allow my vpn client access the internet and trusted resource once they login successfully from vpn client

Dear expert,

i have actually use the vpn wizard from the cisco pix 515e firewall to setup the remote vpn client. once complete the wizard and i use one of the pc connect to internet via dial-up 56k modem. after i have successfully get connected from my pc to trusted side. i try to ping the local server ip address and all seem working fine and can map drive also. But once i try to suft internet and it cannot be suft the internet.

My Question:

1. when i did the ipconfig, i found my default gateway ip address is same as my own ip address. Pls advise why this happen?
the firewall should issue me the real firewall ip as my default gateway rite?

2. Why i cant even suft the internet? what i need to configure on firewall or vpn client to enable remote user to access internet and also access trusted resources?

Thanks,

regards,
JK


johnkooAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
1. This is correct.

2. You need to configure split-tunneling on the PIX so that only traffic destined to your range of IP addresses at work is sent across the VPN and all other traffic is sent over the Internet directly. Doing this though is less secure.
If you have PIX V7 software then you can do as you are doing now and the traffic will go to the PIX and then out the Internet.
grbladesCommented:
If your network at work is on 10.0.x.x for example and the vpm group name is 'groupname' then you would add the following to the PIX.

access-list splitTunnelAcl permit ip 10.0.0.0 255.255.0.0 any
vpngroup groupname split-tunnel splitTunnelAcl
johnkooAuthor Commented:
Hi grblades,

What is PIX V7? is this the software for the cisco pix 515e firewall or vpn remote client?

i have also try to configure the split-tunneling on pix. there have two option, the first is using the "dynamic-20"...? and the second option allow me to choose all internal (0.0.0.0 0.0.0.0) or dmz or particular pc. but i have choose 0.0.0.0 0.0.0.0 and it also cannot access the internet till now? coz i am trying now...

pls advise..
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

grbladesCommented:
The version of the software on your PIX is probably 6.3. Version 7 is fairly new and has a lot of feature benefits one of which is the ability to re-route incoming traffic over a VPN back out to the internet.

I guess you are using the cisco PDM web configuration utility. There should be an option there to show the current configuration. Copy this into notepad etc... and replace any passwords and your external IP address with *'s and paste it here and I will tell you what you need to add.

To add the extra configuration you can either connect to it using a SSH client or connect over the serial port.
johnkooAuthor Commented:
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 7JzCpTbzE0NFXw5u encrypted
passwd JdsH18ccyvzUMLMj encrypted
hostname sm-fw-1
domain-name xxx.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service TCP_UDP_block tcp-udp
  port-object range 135 139
access-list acl_outside_in deny tcp any object-group TCP_UDP_block any object-group TCP_UDP_block
access-list acl_outside_in deny tcp any any eq 5554
access-list acl_outside_in deny tcp any any eq 9996
access-list acl_outside_in deny tcp any any eq 445
access-list acl_outside_in deny tcp any host 202.56.140.75 eq https
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 2535
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 6789
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 4751
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 2556
access-list acl_outside_in permit tcp any host 202.56.140.75 eq www
access-list acl_outside_in deny tcp any host 202.56.140.75 eq smtp
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 9100
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 53000
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 51000
access-list acl_outside_in permit tcp any host 202.56.140.74 eq www
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8101
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8100
access-list acl_outside_in permit tcp any host 202.56.140.76 eq 8019
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8019
access-list acl_outside_in permit tcp any host 202.56.139.84 eq smtp
access-list acl_outside_in permit udp any host 202.56.140.76 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.76 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.76 eq www
access-list acl_outside_in permit tcp any host 202.56.140.76 eq ftp
access-list acl_outside_in permit tcp any host 202.56.140.76 eq ftp-data
access-list acl_outside_in permit udp any host 202.56.140.77 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.77 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.77 eq www
access-list acl_outside_in permit tcp any host 202.56.140.77 eq ftp
access-list acl_outside_in permit tcp any host 202.56.140.77 eq ftp-data
access-list acl_outside_in permit tcp 192.168.1.48 255.255.255.248 any
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq www
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq 5799
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq 5800
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq www
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 5799
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 5800
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 8019
access-list acl_dmz_in permit tcp host 172.16.1.31 host 172.16.1.13 eq smtp
access-list acl_dmz_in permit ip any any
access-list inside_outbound_nat0_acl permit ip host 192.168.1.7 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.12 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.13 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.15 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.16 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.168 255.255.255.248
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.248
access-list outside_nat0_inbound permit ip any 192.168.2.0 255.255.255.0
access-list dmz_nat0_outbound permit ip host 172.16.1.21 192.168.1.200 255.255.255.252
access-list inside_access_in permit ip any any
access-list VPN_splitTunnelAcl permit ip any any
access-list VPN_splitTunnelAcl permit ip host 192.168.1.50 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.248
pager lines 24
logging on
logging trap informational
logging facility 16
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xx.xx.xx.xx 255.255.255.0
ip address inside xx.xx.xx.xx 255.255.248.0
ip address dmz xx.xx.xx.xx 255.255.248.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm drop
ip local pool VPN 192.168.1.50-192.168.1.55
pdm location 192.168.0.0 255.255.248.0 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm location 192.168.1.13 255.255.255.255 inside
pdm location 192.168.1.15 255.255.255.255 inside
pdm location 192.168.1.16 255.255.255.255 inside
pdm location 172.16.1.21 255.255.255.255 dmz
pdm location 172.16.1.41 255.255.255.255 dmz
pdm location 192.168.2.174 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.1.14 255.255.255.255 inside
pdm location 172.16.1.31 255.255.255.255 dmz
pdm location 172.16.1.42 255.255.255.255 dmz
pdm location 192.168.1.20 255.255.255.255 inside
pdm location 192.168.1.200 255.255.255.252 outside
pdm location 192.168.1.192 255.255.255.192 outside
pdm location 192.168.1.48 255.255.255.248 outside
pdm history enable
arp timeout 14400
global (outside) 1 202.56.140.73 netmask 255.255.255.255
global (outside) 3 202.56.140.77 netmask 255.255.255.255
global (dmz) 1 172.16.1.50
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 3 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.56.140.75 192.168.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.74 172.16.1.21 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.32 192.168.1.13 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.16 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.15 192.168.1.15 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.76 172.16.1.41 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.77 172.16.1.42 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.13 192.168.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.139.84 172.16.1.31 netmask 255.255.255.255 0 0
access-group acl_outside_in in interface outside
access-group inside_access_in in interface inside
access-group acl_dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 202.56.139.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.12 255.255.255.255 inside
http 192.168.1.7 255.255.255.255 inside
http 192.168.1.13 255.255.255.255 inside
http 192.168.2.174 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup VPN address-pool VPN
vpngroup VPN dns-server 192.168.1.12 192.168.1.13
vpngroup VPN default-domain squiremech.com
vpngroup VPN split-tunnel VPN_splitTunnelAcl
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 192.168.1.12 255.255.255.255 inside
telnet 192.168.1.13 255.255.255.255 inside
telnet 192.168.1.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username c265sp password Up3qxqtpjmJhljCJ encrypted privilege 15
username b028nkh nopassword privilege 15
username administrator password PqawQ1FSVJwZYG/K encrypted privilege 15
username william password 82z.W5VEeU9AETZ. encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup VPN password ********
vpnclient username johnkoo password ********
terminal width 80
Cryptochecksum:243c4cf0479770714a7ba1049a4d7f4f
: end
[OK]

grbladesCommented:
Add the following configuration to erase the current split-tunnel ACL and create a new one.
Then once you disconnect and reconnect your VPN client you should be able to browse the Internet and access the work network.

no access-list VPN_splitTunnelAcl
access-list VPN_splitTunnelAcl permit ip 192.168.0.0 255.255.248.0 any
grbladesCommented:
> ip local pool VPN 192.168.1.50-192.168.1.55

This could cause you problems. You should be using an IP address range which is on a different logical network otherwise you can get unpredictable connection issues to some internal machines. If you use something like the following it should work better.

ip local pool VPN 192.168.9.50-192.168.9.55
johnkooAuthor Commented:
hi, grblasdes...you are great..

but can i check with you...even now i can access to both internet and trusted resource..but when i did ipconfig and i cant also find the gateway...its empty...Why?

I can't ping my gateway 192.168.1.1...and previously what i have done wrong to the split-tunning configuration? pls advise.
Why you know the range ip for 192.168.0.0 and 255.255.248.0 can work for both..Thks very much...

regards,
JK
grbladesCommented:
If you do an ipconfig on the client while the VPN is running it will normally show your current IP address as the gateway. The reason for this is that the VPN software running on your PC is actually the gateway. Packets destined for the Internet it sends out to the Internet gateway while other packets are encrypted and then sent out.

No you wont be able to ping 192.168.1.1. The reason for this is that VPN traffic from the client is sent straight out the internal interface so the interface itself does not have a chance to see the traffic and respond to it itself. This is the same reason why you could not access the Internet before.

You split-tunnel configuration before had 0.0.0.0/0.0.0.0 which basically means send everything over the VPN and is effectivly the same as not defining a split-tunnel. The new config sais to send everything destined to 192.168.0.0/255.255.248.0 over the VPN and everything else to the Internet normally.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
johnkooAuthor Commented:
Hi...grblades...

yeah ..i got your reply...thks..

but..you are saying the new config will send everythings from the network 192.168.0.0/255.255.248.0 over the VPN and everythings else to internet normally rite..mean 192.168.1.50 to 192.168.1.55 is in the destined network...it should send over the VPN but why it still able to access internet?

as i understand from your concern is..all the network in between 192.168.0.0/255.255.248.0 will send over the VPN..which mean cannot access internet..but only for access trusted zone. For those network are not inside the range will be able to suft internet as pernormal rite???? this is my understanding..pls advise..thks
grbladesCommented:
The new config only affects the VPN client. It wont affect what your servers inside your network can do.
When your client accesses 192.168.0.0/255.255.248.0 it goes over the VPN. When the client accesses any other address it goes straight out their normal internet connection.
johnkooAuthor Commented:
hi grblades,

i have successfully configured to allow the external user access to the internal zone plus suft internet. i have set the split tunneling for my internal network address to be 192.168.0.0/255.255.248.0. so..if i use the ip pool for 192.168.1.x network and it working fine.

But if i choose to use other logical network address example 192.168.5.1 to .5.10...the internet access is working fine but i cant access to my internal network. i ping to anyone of the pc or server within the internal network and get no reply...pls advise..thks

since i have allow the vpn client to access my internal (192.168.0.0/21) network and if i choose ip pool 192.168.5.x and the range is till fall into the above 192.168.0.0/21...i should be able to connect to the internal network and suft net rite...but now i can only suft the net and cannot access to any of the internal network..pls advise?

Thks..
grbladesCommented:
With a subnet mask of /255.255.248.0 the range of IP addresses is from 192.168.0.0 through 192.168.7.255 and therefore 192.168.5.1 is not a different logical network. I suggest you try using something like 192.168.9.1 to .9.10.
johnkooAuthor Commented:
hi..grblades,

i have did it. now my vpn client is using the ip pool addres of 192.168.9.x/21. but now all my remote client via vpn only allow to suft internet but cannot access the internal network.

i try to ping to all my internal network and no reply. now i cant access the internal network but only can access the internet.

pls advise,

thks,

regards,
JK
johnkooAuthor Commented:
hi...

my internal network is 192.168.0.0/21.....but i'm using 192.168.9.x ip pool...
grbladesCommented:
The servers have the PIX defined as their default gateway?
The servers are all configured with the correct 255.255.248.0 netmask?

Save the config on the PIX and give it a reboot as it is possible to confuse the VPN if you change the configuration.
johnkooAuthor Commented:
yeap..all the server and client is point to the firewall (192.168.1.1) as gateway and the netmask is 255.255.248.0.

as i understand, my internal network ip pool is 192.168.1.x till 192.168.7.x. the new logical network is 192.168.9.x which locate out of the internal ip range. it should not work rite....do i need to do anything to the firewall access rules?

regards,
JK
grbladesCommented:
The reason why it should be outside the internal IP range is so that the response is always sent back to the PIX.
If you use an IP range on the internal network then it will tend to work because most systems will send the packet back to the same device that sent it. However this is not guaranteed for every operating system and some may try to lookup the MAC address to send the response back to and in this case it will fail.

You don't need to update any firewall settings but you do need to make sure that the response is not being NAT'd. In your case you need to add the following line :-

access-list inside_outbound_nat0_acl permit ip any 192.168.9.0 255.255.255.0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.