rxn6057
asked on
cisco pix vpn setup
I just created the following config on our pix 515 for vpn connections, I get connected using the cisco vpn client v4.0.4
but I cannot ping any hosts via ip address. Can someone point me in the right direction. I'm sure someone out there has ran into this if you need the rest of the config let me know. thanks
ip local pool vpn_client 192.168.1.110-192.168.1.15 0
access-list no_nat_vpn permit ip any 192.168.1.0 255.255.255.0
nat(inside)0 access-list no_nat_vpn
isakmp policy 10 authentication pre-share
isakmp policy 10 encrypton des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address
sysopt connection permit-ipsec
access-list cryptomap_acl permit ip any 192.168.1.0 255.255.255.0
crypto ipsec transform-set vpnClient esp-des esp-md5-hmac
crypto dynamic-map dyn_map 10 set transform-set vpnClient
crypto map vpn_map 10 ipsec-isakmp dynamic dyn_map
crypto dynamic-map dyn_map 10 match address cryptomap_acl
crypto map vpn_map interface outside
vpngroup remote_group address-pool vpn_client
vpngroup remote_group dns-server 192.168.1.71
vpngroup remote_group default-domain company.com
vpngroup remote_group idle-time 3600
vpngroup remote_group password #######
vpngroup remote_group split-tunnel no_nat_vpn
but I cannot ping any hosts via ip address. Can someone point me in the right direction. I'm sure someone out there has ran into this if you need the rest of the config let me know. thanks
ip local pool vpn_client 192.168.1.110-192.168.1.15
access-list no_nat_vpn permit ip any 192.168.1.0 255.255.255.0
nat(inside)0 access-list no_nat_vpn
isakmp policy 10 authentication pre-share
isakmp policy 10 encrypton des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address
sysopt connection permit-ipsec
access-list cryptomap_acl permit ip any 192.168.1.0 255.255.255.0
crypto ipsec transform-set vpnClient esp-des esp-md5-hmac
crypto dynamic-map dyn_map 10 set transform-set vpnClient
crypto map vpn_map 10 ipsec-isakmp dynamic dyn_map
crypto dynamic-map dyn_map 10 match address cryptomap_acl
crypto map vpn_map interface outside
vpngroup remote_group address-pool vpn_client
vpngroup remote_group dns-server 192.168.1.71
vpngroup remote_group default-domain company.com
vpngroup remote_group idle-time 3600
vpngroup remote_group password #######
vpngroup remote_group split-tunnel no_nat_vpn
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I wouldn't recommend configuring split-tunneling as it's a potential security risk. For example, the VPN client machine might be a Windows XP machine on a home LAN or hotel LAN and has a single Ethernet adapter installed in it. The Windows XP machine has a valid address on that network and connects to the corporate network through the VPN connectoid in the Network Connections window. At this point, any host that sets its default gateway to the IP address of the Windows XP computer can now access the corporate network resources.
Agree with you garycutri on the security risks of split-tunneling. But the reality is, most users get irate when they can't surf the web or check personal email while connected to VPN.
rxn6057: all you can do is warn management of the risks, & let them decide. Which they'll no doubt decide "Do it anyway".
cheers all
rxn6057: all you can do is warn management of the risks, & let them decide. Which they'll no doubt decide "Do it anyway".
cheers all
you need to add a rule to the firewall that lets the VPN IP address pool send and recieve echo and echo-reply packets to what ever IP address you want to ping.
ngravatt: Actually no. The "permit ip..." statements in the ACLs are also allowing ICMP traffic. I've deployed many PIX VPNs like this - it works.
cheers
cheers