macc1212
asked on
Pix 501
The vpn works fine but I can no connect to the internet, unless I connect the cable from the modem to put one. Then the vpn stops working. If i connect the cable back to the wan port the vpn works but the internet stops working. This is new to me can some explain this to me. And is there a script that I can wite for the pix???
Make sure you hide the 2nd and 3rd octect of your public ip information when you paste it here.
Do you have split-tunneling enabled on your PIX vpn ?
Cheers,
Rajesh
Do you have split-tunneling enabled on your PIX vpn ?
Cheers,
Rajesh
ASKER
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ecCwMh0COe94IjJK encrypted
passwd ecCwMh0COe94IjJK encrypted
hostname rcsnet
domain-name sms.siemens.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_c-map_20 permit ip host ##### ##### 255.255.2
55.248
pager lines 24
logging on
logging timestamp
logging buffered notifications
logging history notifications
logging queue 0
icmp permit #.#.#.# 255.255.248.0 outside
mtu outside 1500
mtu inside 1500
ip address outside #.#.#.# 255.255.255.0
ip address inside #.#.#.# 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list outside_c-map_20
route outside 0.0.0.0 0.0.0.0 #.#.#.#
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http #.#.#.# 255.255.255.248 outside
http #.#.#.# 255.255.248.0 outside
http #.#.#.# 255.255.255.0 inside
http #.#.#.# 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community !S13m3n3S!
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-ipsec
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_c-map_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer #.#.#.#
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobyt
es 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address #.#.#.# netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh #.#.#.# 255.255.248.0 outside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:59d620c4dbe e6a283257f 3a9755ac58 1
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ecCwMh0COe94IjJK encrypted
passwd ecCwMh0COe94IjJK encrypted
hostname rcsnet
domain-name sms.siemens.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_c-map_20 permit ip host ##### ##### 255.255.2
55.248
pager lines 24
logging on
logging timestamp
logging buffered notifications
logging history notifications
logging queue 0
icmp permit #.#.#.# 255.255.248.0 outside
mtu outside 1500
mtu inside 1500
ip address outside #.#.#.# 255.255.255.0
ip address inside #.#.#.# 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list outside_c-map_20
route outside 0.0.0.0 0.0.0.0 #.#.#.#
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http #.#.#.# 255.255.255.248 outside
http #.#.#.# 255.255.248.0 outside
http #.#.#.# 255.255.255.0 inside
http #.#.#.# 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community !S13m3n3S!
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-ipsec
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_c-map_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer #.#.#.#
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobyt
es 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address #.#.#.# netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh #.#.#.# 255.255.248.0 outside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:59d620c4dbe
This looks to me like a site to site vpn ? aren't we talking about client vpn ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Yes this is a lan to lan vpn.
Change this >>access-list outside_c-map_20 permit ip host ##### ##### 255.255.2
To reflect the SiteA network and Site B network respectively on both ends.
access-list outside_c-map_20 permit ip <NetworkA> <Mask> <NetworkB> <Mask>
The above goes on the NetworkA side PIX.
access-list outside_c-map_20 permit ip <NetworkB> <Mask> <NetworkA> <Mask>
The above goes on the NetworkB side PIX
Then save the configuration, do a 'clear xlate'.
Then try.
Cheers,
Rajesh
To reflect the SiteA network and Site B network respectively on both ends.
access-list outside_c-map_20 permit ip <NetworkA> <Mask> <NetworkB> <Mask>
The above goes on the NetworkA side PIX.
access-list outside_c-map_20 permit ip <NetworkB> <Mask> <NetworkA> <Mask>
The above goes on the NetworkB side PIX
Then save the configuration, do a 'clear xlate'.
Then try.
Cheers,
Rajesh
ASKER
Will this allow me to access the internet with the other computers on the netwotk?
Yes, it would.
Only the traffic destined for the other network will be passed through the VPN tunnel and all other traffic destined for internet will go to internet.
Cheers,
Rajesh
Only the traffic destined for the other network will be passed through the VPN tunnel and all other traffic destined for internet will go to internet.
Cheers,
Rajesh
ASKER
how would i write the script
access-list outside_c-map_20 permit ip host 10.10.12.11 255.255.2
55.248
Where do I plug the Network A and Network B
What is the Net A and Net B
Is it the outside ip A and the inside Ip B.
Please explain
access-list outside_c-map_20 permit ip host 10.10.12.11 255.255.2
55.248
Where do I plug the Network A and Network B
What is the Net A and Net B
Is it the outside ip A and the inside Ip B.
Please explain
For internal users to use the internet, add these:
global (outside) 10 interface
nat (inside) 10 0 0
global (outside) 10 interface
nat (inside) 10 0 0
NetworkA------PIX--------- ---------- ----VPN--- ---------- ---PIX---- -----Netwo rkB
Now you know what is NetworkA and NetworkB right ?
Cheers,
Rajesh
Now you know what is NetworkA and NetworkB right ?
Cheers,
Rajesh
ASKER
when i try to put the sript in the pix I get (??????)
ASKER
Please explain where I would plug in my ip addresses for the network a and network b.
access-list outside_c-map_20 permit ip <networkA> <subnet mask> <networkB> <subnet mask>
This has to be done on networkA.
access-list outside_c-map_20 permit ip <networkB> <subnet mask> <networkA> <subnet mask>
The above has to be done at the networkB.
Cheers,
Rajesh
This has to be done on networkA.
access-list outside_c-map_20 permit ip <networkB> <subnet mask> <networkA> <subnet mask>
The above has to be done at the networkB.
Cheers,
Rajesh
Here NetworkA means your internal network at Site A (You have masked all the ip addresses in the output you posted here, so I don't know what is your internal network). Similarly NetworkB means your internal network at Site B.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Can I just write a line to give access to th B side
that is what the above access-list does wrt your configuration.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
logging on
logging timestamp
logging buffered 5
logging history 5
logging queue 0
no clock timezone
timeout xlate 1:00:00
http server enable
http 129.73.116.77 255.255.255.248 outside
http 64.46.232.0 255.255.248.0 outside
snmp-server community !S13m3n44!
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
no dhcpd enable inside
no dhcpd auto_config outside
no dhcpd address 192.168.1.2-192.168.1.33 inside
no global (outside) 1 interface
no nat (inside) 1 0.0.0.0 0.0.0.0
no nat (inside) 0 0.0.0.0 0.0.0.0
icmp permit 64.46.777.0 255.255.248.0 outside
ip address outside 70.89.654.41 255.255.255.0
ip address inside 10.24.54.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 70.89.438.42
access-list outside_c-map_20 permit ip host 10.24.160.# 129.73.116.44 255.255.255.0
nat (inside) 0 access-list outside_c-map_20
isakmp enable outside
isakmp key ####### address 12.46.0.193 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_c-map_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 12.46.135.193
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map interface outside
hostname rcsnet
domain-name sms.siemens.com
ca gen rsa key 1024
ssh 64.46.65.0 255.255.248.0 outside
ssh timeout 60
passwd 3333
enable password 3333
ca save all
Write Mem
Exit
This is the script that is kicking my butt can some one solve this. I can use the vpn but I can not get on the internet.
logging timestamp
logging buffered 5
logging history 5
logging queue 0
no clock timezone
timeout xlate 1:00:00
http server enable
http 129.73.116.77 255.255.255.248 outside
http 64.46.232.0 255.255.248.0 outside
snmp-server community !S13m3n44!
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
no dhcpd enable inside
no dhcpd auto_config outside
no dhcpd address 192.168.1.2-192.168.1.33 inside
no global (outside) 1 interface
no nat (inside) 1 0.0.0.0 0.0.0.0
no nat (inside) 0 0.0.0.0 0.0.0.0
icmp permit 64.46.777.0 255.255.248.0 outside
ip address outside 70.89.654.41 255.255.255.0
ip address inside 10.24.54.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 70.89.438.42
access-list outside_c-map_20 permit ip host 10.24.160.# 129.73.116.44 255.255.255.0
nat (inside) 0 access-list outside_c-map_20
isakmp enable outside
isakmp key ####### address 12.46.0.193 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_c-map_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 12.46.135.193
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map interface outside
hostname rcsnet
domain-name sms.siemens.com
ca gen rsa key 1024
ssh 64.46.65.0 255.255.248.0 outside
ssh timeout 60
passwd 3333
enable password 3333
ca save all
Write Mem
Exit
This is the script that is kicking my butt can some one solve this. I can use the vpn but I can not get on the internet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
0xSaPx0