johnkoo
asked on
how can i allow my vpn client access the internet and trusted resource once they login successfully from vpn client
Dear expert,
i have actually use the vpn wizard from the cisco pix 515e firewall to setup the remote vpn client. once complete the wizard and i use one of the pc connect to internet via dial-up 56k modem. after i have successfully get connected from my pc to trusted side. i try to ping the local server ip address and all seem working fine and can map drive also. But once i try to suft internet and it cannot be suft the internet.
My Question:
1. when i did the ipconfig, i found my default gateway ip address is same as my own ip address. Pls advise why this happen?
the firewall should issue me the real firewall ip as my default gateway rite?
2. Why i cant even suft the internet? what i need to configure on firewall or vpn client to enable remote user to access internet and also access trusted resources?
Thanks,
regards,
JK
i have actually use the vpn wizard from the cisco pix 515e firewall to setup the remote vpn client. once complete the wizard and i use one of the pc connect to internet via dial-up 56k modem. after i have successfully get connected from my pc to trusted side. i try to ping the local server ip address and all seem working fine and can map drive also. But once i try to suft internet and it cannot be suft the internet.
My Question:
1. when i did the ipconfig, i found my default gateway ip address is same as my own ip address. Pls advise why this happen?
the firewall should issue me the real firewall ip as my default gateway rite?
2. Why i cant even suft the internet? what i need to configure on firewall or vpn client to enable remote user to access internet and also access trusted resources?
Thanks,
regards,
JK
If your network at work is on 10.0.x.x for example and the vpm group name is 'groupname' then you would add the following to the PIX.
access-list splitTunnelAcl permit ip 10.0.0.0 255.255.0.0 any
vpngroup groupname split-tunnel splitTunnelAcl
access-list splitTunnelAcl permit ip 10.0.0.0 255.255.0.0 any
vpngroup groupname split-tunnel splitTunnelAcl
ASKER
Hi grblades,
What is PIX V7? is this the software for the cisco pix 515e firewall or vpn remote client?
i have also try to configure the split-tunneling on pix. there have two option, the first is using the "dynamic-20"...? and the second option allow me to choose all internal (0.0.0.0 0.0.0.0) or dmz or particular pc. but i have choose 0.0.0.0 0.0.0.0 and it also cannot access the internet till now? coz i am trying now...
pls advise..
What is PIX V7? is this the software for the cisco pix 515e firewall or vpn remote client?
i have also try to configure the split-tunneling on pix. there have two option, the first is using the "dynamic-20"...? and the second option allow me to choose all internal (0.0.0.0 0.0.0.0) or dmz or particular pc. but i have choose 0.0.0.0 0.0.0.0 and it also cannot access the internet till now? coz i am trying now...
pls advise..
The version of the software on your PIX is probably 6.3. Version 7 is fairly new and has a lot of feature benefits one of which is the ability to re-route incoming traffic over a VPN back out to the internet.
I guess you are using the cisco PDM web configuration utility. There should be an option there to show the current configuration. Copy this into notepad etc... and replace any passwords and your external IP address with *'s and paste it here and I will tell you what you need to add.
To add the extra configuration you can either connect to it using a SSH client or connect over the serial port.
I guess you are using the cisco PDM web configuration utility. There should be an option there to show the current configuration. Copy this into notepad etc... and replace any passwords and your external IP address with *'s and paste it here and I will tell you what you need to add.
To add the extra configuration you can either connect to it using a SSH client or connect over the serial port.
ASKER
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 7JzCpTbzE0NFXw5u encrypted
passwd JdsH18ccyvzUMLMj encrypted
hostname sm-fw-1
domain-name xxx.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service TCP_UDP_block tcp-udp
port-object range 135 139
access-list acl_outside_in deny tcp any object-group TCP_UDP_block any object-group TCP_UDP_block
access-list acl_outside_in deny tcp any any eq 5554
access-list acl_outside_in deny tcp any any eq 9996
access-list acl_outside_in deny tcp any any eq 445
access-list acl_outside_in deny tcp any host 202.56.140.75 eq https
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 2535
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 6789
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 4751
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 2556
access-list acl_outside_in permit tcp any host 202.56.140.75 eq www
access-list acl_outside_in deny tcp any host 202.56.140.75 eq smtp
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 9100
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 53000
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 51000
access-list acl_outside_in permit tcp any host 202.56.140.74 eq www
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8101
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8100
access-list acl_outside_in permit tcp any host 202.56.140.76 eq 8019
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8019
access-list acl_outside_in permit tcp any host 202.56.139.84 eq smtp
access-list acl_outside_in permit udp any host 202.56.140.76 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.76 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.76 eq www
access-list acl_outside_in permit tcp any host 202.56.140.76 eq ftp
access-list acl_outside_in permit tcp any host 202.56.140.76 eq ftp-data
access-list acl_outside_in permit udp any host 202.56.140.77 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.77 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.77 eq www
access-list acl_outside_in permit tcp any host 202.56.140.77 eq ftp
access-list acl_outside_in permit tcp any host 202.56.140.77 eq ftp-data
access-list acl_outside_in permit tcp 192.168.1.48 255.255.255.248 any
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq www
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq 5799
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq 5800
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq www
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 5799
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 5800
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 8019
access-list acl_dmz_in permit tcp host 172.16.1.31 host 172.16.1.13 eq smtp
access-list acl_dmz_in permit ip any any
access-list inside_outbound_nat0_acl permit ip host 192.168.1.7 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.12 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.13 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.15 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.16 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.168 255.255.255.248
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.248
access-list outside_nat0_inbound permit ip any 192.168.2.0 255.255.255.0
access-list dmz_nat0_outbound permit ip host 172.16.1.21 192.168.1.200 255.255.255.252
access-list inside_access_in permit ip any any
access-list VPN_splitTunnelAcl permit ip any any
access-list VPN_splitTunnelAcl permit ip host 192.168.1.50 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.248
pager lines 24
logging on
logging trap informational
logging facility 16
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xx.xx.xx.xx 255.255.255.0
ip address inside xx.xx.xx.xx 255.255.248.0
ip address dmz xx.xx.xx.xx 255.255.248.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm drop
ip local pool VPN 192.168.1.50-192.168.1.55
pdm location 192.168.0.0 255.255.248.0 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm location 192.168.1.13 255.255.255.255 inside
pdm location 192.168.1.15 255.255.255.255 inside
pdm location 192.168.1.16 255.255.255.255 inside
pdm location 172.16.1.21 255.255.255.255 dmz
pdm location 172.16.1.41 255.255.255.255 dmz
pdm location 192.168.2.174 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.1.14 255.255.255.255 inside
pdm location 172.16.1.31 255.255.255.255 dmz
pdm location 172.16.1.42 255.255.255.255 dmz
pdm location 192.168.1.20 255.255.255.255 inside
pdm location 192.168.1.200 255.255.255.252 outside
pdm location 192.168.1.192 255.255.255.192 outside
pdm location 192.168.1.48 255.255.255.248 outside
pdm history enable
arp timeout 14400
global (outside) 1 202.56.140.73 netmask 255.255.255.255
global (outside) 3 202.56.140.77 netmask 255.255.255.255
global (dmz) 1 172.16.1.50
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 3 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.56.140.75 192.168.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.74 172.16.1.21 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.32 192.168.1.13 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.16 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.15 192.168.1.15 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.76 172.16.1.41 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.77 172.16.1.42 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.13 192.168.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.139.84 172.16.1.31 netmask 255.255.255.255 0 0
access-group acl_outside_in in interface outside
access-group inside_access_in in interface inside
access-group acl_dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 202.56.139.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.12 255.255.255.255 inside
http 192.168.1.7 255.255.255.255 inside
http 192.168.1.13 255.255.255.255 inside
http 192.168.2.174 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup VPN address-pool VPN
vpngroup VPN dns-server 192.168.1.12 192.168.1.13
vpngroup VPN default-domain squiremech.com
vpngroup VPN split-tunnel VPN_splitTunnelAcl
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 192.168.1.12 255.255.255.255 inside
telnet 192.168.1.13 255.255.255.255 inside
telnet 192.168.1.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username c265sp password Up3qxqtpjmJhljCJ encrypted privilege 15
username b028nkh nopassword privilege 15
username administrator password PqawQ1FSVJwZYG/K encrypted privilege 15
username william password 82z.W5VEeU9AETZ. encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup VPN password ********
vpnclient username johnkoo password ********
terminal width 80
Cryptochecksum:243c4cf0479
: end
[OK]
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 7JzCpTbzE0NFXw5u encrypted
passwd JdsH18ccyvzUMLMj encrypted
hostname sm-fw-1
domain-name xxx.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service TCP_UDP_block tcp-udp
port-object range 135 139
access-list acl_outside_in deny tcp any object-group TCP_UDP_block any object-group TCP_UDP_block
access-list acl_outside_in deny tcp any any eq 5554
access-list acl_outside_in deny tcp any any eq 9996
access-list acl_outside_in deny tcp any any eq 445
access-list acl_outside_in deny tcp any host 202.56.140.75 eq https
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 2535
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 6789
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 4751
access-list acl_outside_in deny tcp any host 202.56.140.75 eq 2556
access-list acl_outside_in permit tcp any host 202.56.140.75 eq www
access-list acl_outside_in deny tcp any host 202.56.140.75 eq smtp
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 9100
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 53000
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 51000
access-list acl_outside_in permit tcp any host 202.56.140.74 eq www
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8101
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8100
access-list acl_outside_in permit tcp any host 202.56.140.76 eq 8019
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8019
access-list acl_outside_in permit tcp any host 202.56.139.84 eq smtp
access-list acl_outside_in permit udp any host 202.56.140.76 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.76 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.76 eq www
access-list acl_outside_in permit tcp any host 202.56.140.76 eq ftp
access-list acl_outside_in permit tcp any host 202.56.140.76 eq ftp-data
access-list acl_outside_in permit udp any host 202.56.140.77 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.77 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.77 eq www
access-list acl_outside_in permit tcp any host 202.56.140.77 eq ftp
access-list acl_outside_in permit tcp any host 202.56.140.77 eq ftp-data
access-list acl_outside_in permit tcp 192.168.1.48 255.255.255.248 any
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq www
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq 5799
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq 5800
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq www
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 5799
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 5800
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 8019
access-list acl_dmz_in permit tcp host 172.16.1.31 host 172.16.1.13 eq smtp
access-list acl_dmz_in permit ip any any
access-list inside_outbound_nat0_acl permit ip host 192.168.1.7 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.12 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.13 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.15 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.16 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.168 255.255.255.248
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.248
access-list outside_nat0_inbound permit ip any 192.168.2.0 255.255.255.0
access-list dmz_nat0_outbound permit ip host 172.16.1.21 192.168.1.200 255.255.255.252
access-list inside_access_in permit ip any any
access-list VPN_splitTunnelAcl permit ip any any
access-list VPN_splitTunnelAcl permit ip host 192.168.1.50 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.248
pager lines 24
logging on
logging trap informational
logging facility 16
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xx.xx.xx.xx 255.255.255.0
ip address inside xx.xx.xx.xx 255.255.248.0
ip address dmz xx.xx.xx.xx 255.255.248.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm drop
ip local pool VPN 192.168.1.50-192.168.1.55
pdm location 192.168.0.0 255.255.248.0 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm location 192.168.1.13 255.255.255.255 inside
pdm location 192.168.1.15 255.255.255.255 inside
pdm location 192.168.1.16 255.255.255.255 inside
pdm location 172.16.1.21 255.255.255.255 dmz
pdm location 172.16.1.41 255.255.255.255 dmz
pdm location 192.168.2.174 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.1.14 255.255.255.255 inside
pdm location 172.16.1.31 255.255.255.255 dmz
pdm location 172.16.1.42 255.255.255.255 dmz
pdm location 192.168.1.20 255.255.255.255 inside
pdm location 192.168.1.200 255.255.255.252 outside
pdm location 192.168.1.192 255.255.255.192 outside
pdm location 192.168.1.48 255.255.255.248 outside
pdm history enable
arp timeout 14400
global (outside) 1 202.56.140.73 netmask 255.255.255.255
global (outside) 3 202.56.140.77 netmask 255.255.255.255
global (dmz) 1 172.16.1.50
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 3 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.56.140.75 192.168.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.74 172.16.1.21 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.32 192.168.1.13 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.16 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.15 192.168.1.15 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.76 172.16.1.41 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.77 172.16.1.42 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.13 192.168.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.139.84 172.16.1.31 netmask 255.255.255.255 0 0
access-group acl_outside_in in interface outside
access-group inside_access_in in interface inside
access-group acl_dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 202.56.139.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.12 255.255.255.255 inside
http 192.168.1.7 255.255.255.255 inside
http 192.168.1.13 255.255.255.255 inside
http 192.168.2.174 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup VPN address-pool VPN
vpngroup VPN dns-server 192.168.1.12 192.168.1.13
vpngroup VPN default-domain squiremech.com
vpngroup VPN split-tunnel VPN_splitTunnelAcl
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 192.168.1.12 255.255.255.255 inside
telnet 192.168.1.13 255.255.255.255 inside
telnet 192.168.1.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username c265sp password Up3qxqtpjmJhljCJ encrypted privilege 15
username b028nkh nopassword privilege 15
username administrator password PqawQ1FSVJwZYG/K encrypted privilege 15
username william password 82z.W5VEeU9AETZ. encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup VPN password ********
vpnclient username johnkoo password ********
terminal width 80
Cryptochecksum:243c4cf0479
: end
[OK]
Add the following configuration to erase the current split-tunnel ACL and create a new one.
Then once you disconnect and reconnect your VPN client you should be able to browse the Internet and access the work network.
no access-list VPN_splitTunnelAcl
access-list VPN_splitTunnelAcl permit ip 192.168.0.0 255.255.248.0 any
Then once you disconnect and reconnect your VPN client you should be able to browse the Internet and access the work network.
no access-list VPN_splitTunnelAcl
access-list VPN_splitTunnelAcl permit ip 192.168.0.0 255.255.248.0 any
> ip local pool VPN 192.168.1.50-192.168.1.55
This could cause you problems. You should be using an IP address range which is on a different logical network otherwise you can get unpredictable connection issues to some internal machines. If you use something like the following it should work better.
ip local pool VPN 192.168.9.50-192.168.9.55
This could cause you problems. You should be using an IP address range which is on a different logical network otherwise you can get unpredictable connection issues to some internal machines. If you use something like the following it should work better.
ip local pool VPN 192.168.9.50-192.168.9.55
ASKER
hi, grblasdes...you are great..
but can i check with you...even now i can access to both internet and trusted resource..but when i did ipconfig and i cant also find the gateway...its empty...Why?
I can't ping my gateway 192.168.1.1...and previously what i have done wrong to the split-tunning configuration? pls advise.
Why you know the range ip for 192.168.0.0 and 255.255.248.0 can work for both..Thks very much...
regards,
JK
but can i check with you...even now i can access to both internet and trusted resource..but when i did ipconfig and i cant also find the gateway...its empty...Why?
I can't ping my gateway 192.168.1.1...and previously what i have done wrong to the split-tunning configuration? pls advise.
Why you know the range ip for 192.168.0.0 and 255.255.248.0 can work for both..Thks very much...
regards,
JK
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi...grblades...
yeah ..i got your reply...thks..
but..you are saying the new config will send everythings from the network 192.168.0.0/255.255.248.0 over the VPN and everythings else to internet normally rite..mean 192.168.1.50 to 192.168.1.55 is in the destined network...it should send over the VPN but why it still able to access internet?
as i understand from your concern is..all the network in between 192.168.0.0/255.255.248.0 will send over the VPN..which mean cannot access internet..but only for access trusted zone. For those network are not inside the range will be able to suft internet as pernormal rite???? this is my understanding..pls advise..thks
yeah ..i got your reply...thks..
but..you are saying the new config will send everythings from the network 192.168.0.0/255.255.248.0 over the VPN and everythings else to internet normally rite..mean 192.168.1.50 to 192.168.1.55 is in the destined network...it should send over the VPN but why it still able to access internet?
as i understand from your concern is..all the network in between 192.168.0.0/255.255.248.0 will send over the VPN..which mean cannot access internet..but only for access trusted zone. For those network are not inside the range will be able to suft internet as pernormal rite???? this is my understanding..pls advise..thks
The new config only affects the VPN client. It wont affect what your servers inside your network can do.
When your client accesses 192.168.0.0/255.255.248.0 it goes over the VPN. When the client accesses any other address it goes straight out their normal internet connection.
When your client accesses 192.168.0.0/255.255.248.0 it goes over the VPN. When the client accesses any other address it goes straight out their normal internet connection.
ASKER
hi grblades,
i have successfully configured to allow the external user access to the internal zone plus suft internet. i have set the split tunneling for my internal network address to be 192.168.0.0/255.255.248.0.
But if i choose to use other logical network address example 192.168.5.1 to .5.10...the internet access is working fine but i cant access to my internal network. i ping to anyone of the pc or server within the internal network and get no reply...pls advise..thks
since i have allow the vpn client to access my internal (192.168.0.0/21) network and if i choose ip pool 192.168.5.x and the range is till fall into the above 192.168.0.0/21...i should be able to connect to the internal network and suft net rite...but now i can only suft the net and cannot access to any of the internal network..pls advise?
Thks..
i have successfully configured to allow the external user access to the internal zone plus suft internet. i have set the split tunneling for my internal network address to be 192.168.0.0/255.255.248.0.
But if i choose to use other logical network address example 192.168.5.1 to .5.10...the internet access is working fine but i cant access to my internal network. i ping to anyone of the pc or server within the internal network and get no reply...pls advise..thks
since i have allow the vpn client to access my internal (192.168.0.0/21) network and if i choose ip pool 192.168.5.x and the range is till fall into the above 192.168.0.0/21...i should be able to connect to the internal network and suft net rite...but now i can only suft the net and cannot access to any of the internal network..pls advise?
Thks..
With a subnet mask of /255.255.248.0 the range of IP addresses is from 192.168.0.0 through 192.168.7.255 and therefore 192.168.5.1 is not a different logical network. I suggest you try using something like 192.168.9.1 to .9.10.
ASKER
hi..grblades,
i have did it. now my vpn client is using the ip pool addres of 192.168.9.x/21. but now all my remote client via vpn only allow to suft internet but cannot access the internal network.
i try to ping to all my internal network and no reply. now i cant access the internal network but only can access the internet.
pls advise,
thks,
regards,
JK
i have did it. now my vpn client is using the ip pool addres of 192.168.9.x/21. but now all my remote client via vpn only allow to suft internet but cannot access the internal network.
i try to ping to all my internal network and no reply. now i cant access the internal network but only can access the internet.
pls advise,
thks,
regards,
JK
ASKER
hi...
my internal network is 192.168.0.0/21.....but i'm using 192.168.9.x ip pool...
my internal network is 192.168.0.0/21.....but i'm using 192.168.9.x ip pool...
The servers have the PIX defined as their default gateway?
The servers are all configured with the correct 255.255.248.0 netmask?
Save the config on the PIX and give it a reboot as it is possible to confuse the VPN if you change the configuration.
The servers are all configured with the correct 255.255.248.0 netmask?
Save the config on the PIX and give it a reboot as it is possible to confuse the VPN if you change the configuration.
ASKER
yeap..all the server and client is point to the firewall (192.168.1.1) as gateway and the netmask is 255.255.248.0.
as i understand, my internal network ip pool is 192.168.1.x till 192.168.7.x. the new logical network is 192.168.9.x which locate out of the internal ip range. it should not work rite....do i need to do anything to the firewall access rules?
regards,
JK
as i understand, my internal network ip pool is 192.168.1.x till 192.168.7.x. the new logical network is 192.168.9.x which locate out of the internal ip range. it should not work rite....do i need to do anything to the firewall access rules?
regards,
JK
The reason why it should be outside the internal IP range is so that the response is always sent back to the PIX.
If you use an IP range on the internal network then it will tend to work because most systems will send the packet back to the same device that sent it. However this is not guaranteed for every operating system and some may try to lookup the MAC address to send the response back to and in this case it will fail.
You don't need to update any firewall settings but you do need to make sure that the response is not being NAT'd. In your case you need to add the following line :-
access-list inside_outbound_nat0_acl permit ip any 192.168.9.0 255.255.255.0
If you use an IP range on the internal network then it will tend to work because most systems will send the packet back to the same device that sent it. However this is not guaranteed for every operating system and some may try to lookup the MAC address to send the response back to and in this case it will fail.
You don't need to update any firewall settings but you do need to make sure that the response is not being NAT'd. In your case you need to add the following line :-
access-list inside_outbound_nat0_acl permit ip any 192.168.9.0 255.255.255.0
2. You need to configure split-tunneling on the PIX so that only traffic destined to your range of IP addresses at work is sent across the VPN and all other traffic is sent over the Internet directly. Doing this though is less secure.
If you have PIX V7 software then you can do as you are doing now and the traffic will go to the PIX and then out the Internet.