Why i cant use other network segment for my vpn client to access internet and trusted zone?

hi expert,

i have successfully configured to allow the external user access to the trusted zone plus suft internet. i have set the split tunneling for my internal network address to be 192.168.0.0/255.255.248.0. so..if i use the ip pool for 192.168.1.x network and it working fine.

But if i choose to use other logical network address example 192.168.5.1 to .5.10...the internet access is working fine but i cant access to my tursted network. i ping to anyone of the pc or server within the trusted network and get no reply...pls advise..thks

since i have allow the vpn client to access our trusted zone (192.168.0.0/21) network and if i choose ip pool 192.168.5.x and the range is till fall into the above 192.168.0.0/21...i should be able to suft rite...but now i can't..pls advise?

Thks..
johnkooAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ccomleyCommented:
Sounds to me like you have your network masks a bit confused.

Make sure any and every machine on any given network has the *same* netmask.

Understand that if you have two machiens in *different* networks, then there MUST be a gateway between the networks if they are to talk to each other.

You're saying "trusted network" so I assume you have a firewall apliance of some sort but you havn't told us what it is.

johnkooAuthor Commented:
hi..ccomley,

i have configured the pix 515e firewall to allow the external user use cisco vpn client to access the internal network and suft internet.

my internal network is 192.168.0.0/255.255.248.0, so i have provide the ip pool of 192.168.1.x/21 to the vpn user by using the split tunning. everythings goes fine, external can access internal network and suft internet. But once i change my ip pool to 192.168.5.x/21..the external user can only suft the net and cannnot access the internal network. i try to ping all the pc or server in the internal network..192.168.1.x/21 but all no reply.

Pls advise what can i do in order to allow all the external user to access the internal network and suft internet via vpn client.
My internal network is point to the firewall as gateway (192.168.1.1). all my internal network have 192.168.1.x, 192.168.2.x, 192.168.3.x. anyway, the ip pool that i choose to use 192.168.5.x/21 is locate into the same internal ip range of 192.168.0.0/21.

pls advise...thks..

regards,
jk
grbladesCommented:
On the PIX the ip pool used for VPN clients should be on a different ip range than the internal network so you will have to use 192.168.8.x or higher.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

johnkooAuthor Commented:
yeah..now i have use 192.168.9.x.....
johnkooAuthor Commented:
now still cannot access the internal network but only allow to access internet...
grbladesCommented:
problem was that the 'nat 0' acl also needed to be updated to make sure the responses back to the vpn client were not being NAT'd.
johnkooAuthor Commented:
hi...grblades,

i have received your advise..but how do i did it from my pix firewall? what command to assign?

Why i must do this in order to allow the vpn client can access the internet plus internal network via the different network?

thks...
grbladesCommented:
Please post your current PIX configuration and I will tell you what the extra commands are you need.
johnkooAuthor Commented:
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 7JzCpTbzE0NFXw5u encrypted
passwd JdsH18ccyvzUMLMj encrypted
hostname sm-fw-1
domain-name squiremech.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.5.0 vpn
name 192.168.9.0 vpn-connection
object-group service TCP_UDP_block tcp-udp
  port-object range 135 139
access-list acl_outside_in permit tcp any host 202.56.140.75 eq www
access-list acl_outside_in deny tcp any host 202.56.140.75 eq smtp
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 9100
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 53000
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 51000
access-list acl_outside_in permit tcp any host 202.56.140.74 eq www
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8101
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8100
access-list acl_outside_in permit tcp any host 202.56.140.76 eq 8019
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8019
access-list acl_outside_in permit tcp any host 202.56.139.84 eq smtp
access-list acl_outside_in permit udp any host 202.56.140.76 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.76 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.76 eq www
access-list acl_outside_in permit tcp any host 202.56.140.76 eq ftp
access-list acl_outside_in permit tcp any host 202.56.140.76 eq ftp-data
access-list acl_outside_in permit udp any host 202.56.140.77 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.77 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.77 eq www
access-list acl_outside_in permit tcp any host 202.56.140.77 eq ftp
access-list acl_outside_in permit tcp any host 202.56.140.77 eq ftp-data
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq www
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq 5799
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq 5800
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq www
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 5799
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 5800
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 8019
access-list acl_dmz_in permit tcp host 172.16.1.31 host 172.16.1.13 eq smtp
access-list inside_outbound_nat0_acl permit ip host 192.168.1.7 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.12 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.13 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.15 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.16 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.168 255.255.255.248
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.248.0 192.168.5.16 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.248.0 192.168.1.48 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any vpn-connection 255.255.255.0
access-list outside_nat0_inbound permit ip any 192.168.2.0 255.255.255.0
access-list dmz_nat0_outbound permit ip host 172.16.1.21 192.168.1.200 255.255.255.252
access-list sm-vpn_splitTunnelAcl permit ip 192.168.0.0 255.255.248.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.48 255.255.255.240
pager lines 24
logging on
logging trap informational
logging facility 16
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xx.xx.xx.xx 255.255.255.0
ip address inside 192.168.1.1 255.255.248.0
ip address dmz 172.16.1.1 255.255.248.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm drop
ip local pool sm-vpn 192.168.1.50-192.168.1.60
ip local pool new_sm_vpn 192.168.5.10-192.168.5.60
ip local pool sm-vpn-1 192.168.9.1-192.168.9.10
pdm location 192.168.0.0 255.255.248.0 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm location 192.168.1.13 255.255.255.255 inside
pdm location 192.168.1.15 255.255.255.255 inside
pdm location 192.168.1.16 255.255.255.255 inside
pdm location 172.16.1.21 255.255.255.255 dmz
pdm location 172.16.1.41 255.255.255.255 dmz
pdm location 192.168.2.174 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.1.14 255.255.255.255 inside
pdm location 172.16.1.31 255.255.255.255 dmz
pdm location 172.16.1.42 255.255.255.255 dmz
pdm location 192.168.1.20 255.255.255.255 inside
pdm location 192.168.1.200 255.255.255.252 outside
pdm location 192.168.1.192 255.255.255.192 outside
pdm location 192.168.5.16 255.255.255.240 outside
pdm location vpn 255.255.255.192 outside
pdm location 192.168.1.48 255.255.255.240 outside
pdm location vpn-connection 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 202.56.140.73 netmask 255.255.255.255
global (outside) 3 202.56.140.77 netmask 255.255.255.255
global (dmz) 1 172.16.1.50
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 3 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.56.140.75 192.168.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.74 172.16.1.21 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.32 192.168.1.13 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.16 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.15 192.168.1.15 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.76 172.16.1.41 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.77 172.16.1.42 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.13 192.168.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.139.84 172.16.1.31 netmask 255.255.255.255 0 0
access-group acl_outside_in in interface outside
access-group acl_dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 202.56.139.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.12 255.255.255.255 inside
http 192.168.1.7 255.255.255.255 inside
http 192.168.1.13 255.255.255.255 inside
http 192.168.2.174 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup sm-vpn address-pool sm-vpn
vpngroup sm-vpn dns-server 192.168.1.12 192.168.1.13
vpngroup sm-vpn default-domain squiremech.com
vpngroup sm-vpn split-tunnel sm-vpn_splitTunnelAcl
vpngroup sm-vpn idle-time 1800
vpngroup sm-vpn password ********
telnet 192.168.1.12 255.255.255.255 inside
telnet 192.168.1.13 255.255.255.255 inside
telnet 192.168.1.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username c265sp password Up3qxqtpjmJhljCJ encrypted privilege 15
username b028nkh nopassword privilege 15
username administrator password PqawQ1FSVJwZYG/K encrypted privilege 15
username william password 82z.W5VEeU9AETZ. encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup VPN password ********
vpnclient username johnkoo password ********
terminal width 80
Cryptochecksum:2d65cce8969e3647173eadced42f86ab
: end
[OK]

decoleurCommented:
would you have to create an access list to allow the vpn traffic to have access to your network and then apply that access list to your nat (inside) 0 interface to keep from split tunneling?

access-list 101 permit ip 192.168.0.0 255.255.248.0 192.168.8.0 255.255.248.0
nat (inside) 0 access-list 101
crypto mapoutside_map 65535 match address 101

I am looking at the cisco config example from http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

HTH

-t
johnkooAuthor Commented:
hi...grblades..

I have posted the complete config files into the forum..pls advise what can i to to enable the new local network address "192.168.9.x/24" can talk to the existing network. which is 192.168.0.0/21. i try to add the access rule for both incoming and outgoing from outside "vpn-client group" to "internal" and "internal" to "vpn-client group". but it still not successful..Pls advse Thks...

Dear  decoleur..thks for your help and i have try to do that but it also cannot ping to the internal network after connected to vpn client.

thks..
grbladesCommented:
> ip local pool sm-vpn-1 192.168.9.1-192.168.9.10
This is the pool you have defined

> vpngroup sm-vpn address-pool sm-vpn
You still have the old one in use.

Add the following configuration to switch the VPN client to use the new IP range :-
vpngroup sm-vpn address-pool sm-vpn-1

Your 'nat 0' ACL looks fine.
johnkooAuthor Commented:
hi, grblades...

even i have added to above line to switch to the new ip pool name but it seem does not resolve the problem yet..

Just to share my idea with you...today i just manage to configured one watchguard firewall to allow external user access into the company trusted network via watchguard remote vpn client. What i did as below;

1. configured the vpn client from the policy manager from the watchguard firebox by adding the trusted network to allow vpn user access plus one virtual ip address. example: trusted network is 172.16.14.0/24 and the virtual ip is 172.16.16.1.
Both located at different network.
 
2. i have created one access rules to allow outside (vpn_client) via any (ip) to internal (trusted network) . i have also created another access rules to allow internal (trusted network) via any (ip) to outside (vpn_client).

3. In order to allow the 172.16.16.x network to communicate with the 1702.16.14.x/24 network...I have created the Static NAT rules which use 172.16.0.0/16 nat trusted network (172.16.14.x/24)...

After all this things done...my laptop which connected to the office lan via watchguard vpn client can allow both internet and network resource ... even my laptop is located at different network..which is 172.16.16.1.

My question is..i try my best to apply the same concept and method to the cisco pix and hope can resolve my vpn connection problem but till now still cannot solve it.

Pls .... this might urgent and need you guys expertise to assist me on this problem...Thks very much..

regards,
JK
grbladesCommented:
I cant see anything wrong at the moment. Can you post your new complete configuration just incase something has changed.

I have asked lrmoore to have a look aswell.
johnkooAuthor Commented:
Dear guys...appeciated your kind of help...
..i think we need to create a NAT in order for ip 192.168.10.x (cisco vpn client) to communnicate with the trusted network..which is 192.168.0.0/21...mean 255.255.248.0.

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 7JzCpTbzE0NFXw5u encrypted
passwd JdsH18ccyvzUMLMj encrypted
hostname sm-fw-1
domain-name squiremech.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service TCP_UDP_block tcp-udp
  port-object range 135 139
access-list acl_outside_in permit tcp any host 202.56.140.75 eq www
access-list acl_outside_in deny tcp any host 202.56.140.75 eq smtp
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 9100
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 53000
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 51000
access-list acl_outside_in permit tcp any host 202.56.140.74 eq www
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8101
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8100
access-list acl_outside_in permit tcp any host 202.56.140.76 eq 8019
access-list acl_outside_in permit tcp any host 202.56.140.74 eq 8019
access-list acl_outside_in permit tcp any host 202.56.139.84 eq smtp
access-list acl_outside_in permit udp any host 202.56.140.76 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.76 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.76 eq www
access-list acl_outside_in permit tcp any host 202.56.140.76 eq ftp
access-list acl_outside_in permit tcp any host 202.56.140.76 eq ftp-data
access-list acl_outside_in permit udp any host 202.56.140.77 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.77 eq domain
access-list acl_outside_in permit tcp any host 202.56.140.77 eq www
access-list acl_outside_in permit tcp any host 202.56.140.77 eq ftp
access-list acl_outside_in permit tcp any host 202.56.140.77 eq ftp-data
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq www
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq 5799
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.15 eq 5800
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq www
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 5799
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 5800
access-list acl_dmz_in permit tcp host 172.16.1.21 host 192.168.1.16 eq 8019
access-list acl_dmz_in permit tcp host 172.16.1.31 host 172.16.1.13 eq smtp
access-list acl_dmz_in permit ip any any
access-list inside_outbound_nat0_acl permit ip host 192.168.1.7 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.12 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.13 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.15 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.16 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.168 255.255.255.248
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.248.0 192.168.10.0 255.255.255.128
access-list outside_nat0_inbound permit ip any host 192.168.2.0
access-list dmz_nat0_outbound permit ip host 172.16.1.21 192.168.1.200 255.255.255.252
access-list vpn_splitTunnelAcl permit ip 192.168.0.0 255.255.248.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.128
pager lines 24
logging on
logging trap informational
logging facility 16
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside XXX.XX.XX.XX 255.255.255.0
ip address inside 192.168.1.1 255.255.248.0
ip address dmz 172.16.1.1 255.255.248.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm drop
ip local pool vpn 192.168.10.10-192.168.10.100
pdm location 192.168.1.7 255.255.255.255 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm location 192.168.1.13 255.255.255.255 inside
pdm location 192.168.1.15 255.255.255.255 inside
pdm location 192.168.1.16 255.255.255.255 inside
pdm location 172.16.1.21 255.255.255.255 dmz
pdm location 172.16.1.41 255.255.255.255 dmz
pdm location 192.168.1.14 255.255.255.255 inside
pdm location 172.16.1.31 255.255.255.255 dmz
pdm location 172.16.1.42 255.255.255.255 dmz
pdm location 192.168.1.20 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 outside
pdm location 192.168.2.174 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.255 inside
pdm location 192.168.1.168 255.255.255.248 outside
pdm location 192.168.1.200 255.255.255.252 outside
pdm location 192.168.1.192 255.255.255.192 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.9.0 255.255.255.0 outside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.1.48 255.255.255.240 outside
pdm location 192.168.9.0 255.255.255.255 outside
pdm location 192.168.9.0 255.255.255.192 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 202.56.140.73 netmask 255.255.255.255
global (outside) 3 202.56.140.77 netmask 255.255.255.255
global (dmz) 1 172.16.1.50
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 3 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.56.140.75 192.168.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.74 172.16.1.21 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.32 192.168.1.13 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.16 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.15 192.168.1.15 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.76 172.16.1.41 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.140.77 172.16.1.42 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.13 192.168.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) 202.56.139.84 172.16.1.31 netmask 255.255.255.255 0 0
access-group acl_outside_in in interface outside
access-group acl_dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 202.56.139.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.12 255.255.255.255 inside
http 192.168.1.7 255.255.255.255 inside
http 192.168.1.13 255.255.255.255 inside
http 192.168.2.174 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup vpn address-pool vpn
vpngroup vpn dns-server 192.168.1.12 192.168.1.13
vpngroup vpn default-domain squiremech.com
vpngroup vpn split-tunnel vpn_splitTunnelAcl
vpngroup vpn idle-time 1800
vpngroup vpn password ********
telnet 192.168.1.12 255.255.255.255 inside
telnet 192.168.1.13 255.255.255.255 inside
telnet 192.168.1.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username c265sp password Up3qxqtpjmJhljCJ encrypted privilege 15
username b028nkh nopassword privilege 15
username administrator password PqawQ1FSVJwZYG/K encrypted privilege 15
username william password 82z.W5VEeU9AETZ. encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup VPN password ********
vpnclient username johnkoo password ********
terminal width 80
Cryptochecksum:3a400db359a354f863a88f74120ee438
: end
[OK]


Thks for your help...

regards,
JK
johnkooAuthor Commented:
hi..grblades....

any idea onn my problem???

still waiting for your reply..thks

regards,
JK
grbladesCommented:
Sorry I have no furthur ideas. Hopefully lrmoore will be along shortly to have a look.
johnkooAuthor Commented:
hi..grblades,

can you give me some idea how the split tunnening work? or where can i find the useful resource to know more about configure the split tunnening..

Thks,

regards,
JK
grbladesCommented:
All you need for split-tunnel is the following two lines.

access-list vpn_splitTunnelAcl permit ip 192.168.0.0 255.255.248.0 any
vpngroup vpn split-tunnel vpn_splitTunnelAcl

Basically all you are doing is defining an ACL saying what traffic the VPN client should send across the VPN. The client will then send traffic to this destination IP range over the VPN and everything else directly to the Internet.
johnkooAuthor Commented:
thks for your response..if i want all the remote users from external to use the vitrual ip of 10.0.0.1/255.0.0.0 to access the internal network of "192.168.1.0/24". they should able to access the 192.168.1.x network plus the internet access.

Example, if i want the external users to access another segment of my internal network 192.168.2.0/255.255.255.0..I can add another internal network as above to allow the same ip 10.0.0.1/255.0.0.0 to access the internal rite?

thks...

regards,
JK
decoleurCommented:
if you want to have your vpn slit-tunnel access list have access to multiple subnets you would add them individually.

no access-list vpn_splitTunnelAcl
!-- erase the old access-list
access-list vpn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
!- add an access-list entry for 192.168.1.0/24
access-list vpn_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
!- add an access-list entry for 192.168.1.0/24

HTH

-t
grbladesCommented:
Your internal IP address is :-
ip address inside 192.168.1.1 255.255.248.0
Therefore 192.168.2.x is not a different network and there is no need to change the split-tunnel.

If you have just decided to have two internal networks then you will need to adjust the split-tunnel as the previous poster described and also change the subnet mask of your internal interface and add an internal route to 192.168.2.x via whatever router you have between the 192.168.1.x and 192.168.2.x networks.
lrmooreCommented:
>access-list vpn_splitTunnelAcl permit ip 192.168.0.0 255.255.248.0 any
The 'any' is causing the problems in a split-tunnel acl
Just remember, that this acl is passed to the VPN client simply to define what traffic will be encrypted..

given:
>ip address inside 192.168.1.1 255.255.248.0
>ip local pool vpn 192.168.10.10-192.168.10.100

Try this:
no access-list vpn_splitTunnelAcl

access-list vpn_splitTunnelAcl permit ip 192.168.0.0 255.255.248.0 192.168.10.0 255.255.255.0

! You'll need to re-apply the acl to the vpngroup after removing it above...

vpngroup vpn split-tunnel vpn_splitTunnelAcl

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.