troubleshooting Question

Cisco PIX unable to route to second interface from VPN clients

Avatar of debuggerau
debuggerauFlag for Australia asked on
Cisco
8 Comments1 Solution1995 ViewsLast Modified:
I have been able to route to second interface (inf2) from inside LAN. remote VPN Clients are in same subnet and can access internal resources, access internet with split tunnel, but unable to contact anything on inf2.
I have tried adding static routes, also removed split_tunnel -but  to no avail.

PIX Version 7.2(2)
!
hostname LSPFWDSL
domain-name xxxxxxx.com.au
enable password <removed>
names
.........
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.0.0.5 255.255.255.0
 ospf cost 10
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.1.11.7 255.255.255.0
 ospf cost 10
 rip send version 2
!
interface Ethernet2
 nameif intf2
 security-level 4
 ip address dhcp setroute
 ospf cost 10
 rip send version 2
!
passwd <removed>
!
time-range Daytime-Workweek
 periodic Monday 14:00 to Friday 17:30
 periodic Monday 17:30 to Friday 13:00
!
time-range PohTime
 absolute start 09:30 04 October 2007 end 17:00 04 October 2007
!
time-range war
 periodic Monday 16:51 to Friday 17:39
 periodic daily 13:00 to 13:30
 periodic daily 10:00 to 10:29
 periodic daily 11:00 to 11:30
 periodic daily 12:00 to 12:30
 periodic daily 9:00 to 9:29
!
boot system flash:/image.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup outside
dns domain-lookup intf2
dns server-group DefaultDNS
 domain-name lspcoms.com.au
........
access-list lsp_splitTunnelAcl standard permit VPNACCESS 255.255.255.0
access-list lsp_splitTunnelAcl standard permit SecondIntranet 255.255.0.0
access-list intf2_nat0_outbound extended permit ip VPNACCESS 255.255.255.0 VPNACCESS 255.255.255.0
access-list intf2_nat0_outbound extended permit ip SecondIntranet 255.255.0.0 VPNACCESS 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm notifications
logging device-id hostname
logging host inside gcost
logging host inside syslog
mtu outside 1400
mtu inside 1500
mtu intf2 1500
ip local pool remotepool2 192.1.11.145-192.1.11.146
ip local pool SoftPhonePool 192.1.11.108-192.1.11.109
ip local pool vpnpool 192.1.11.112-192.1.11.139
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name infodrop info action alarm drop reset
ip audit name attachlog attack action alarm
ip audit name dropandlog attack action alarm drop reset
ip audit interface outside dropandlog
ip audit interface inside attachlog
ip audit signature 1000 disable
ip audit signature 1001 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 6050 disable
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 ExchangeSrv
global (intf2) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (intf2) 0 access-list intf2_nat0_outbound
static (inside,outside) ExchgeStaticMap ExchangeSrv netmask 255.255.255.255
static (inside,outside) 10.0.0.86 VDCBOX netmask 255.255.255.255 dns
static (inside,outside) 10.0.0.87 LSPCRM netmask 255.255.255.255
static (inside,outside) 10.0.0.20 VOIPSignalling netmask 255.255.255.255
static (inside,outside) 10.0.0.88 PBX7400MCP netmask 255.255.255.255
static (inside,outside) 10.0.0.89 PBX7400MGI netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group intf2_access_in in interface intf2
route outside 0.0.0.0 0.0.0.0 LSPRouter 1
route inside 192.168.60.0 255.255.255.0 192.1.11.1 1
route intf2 SecondIntranet  255.255.0.0 172.24.40.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value 192.1.11.77 192.1.11.2
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list value lspryanmehlhopt_splitTunnelAcl
 default-domain value lspcoms.com.au
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
group-policy LSPVPN internal
group-policy LSPVPN attributes
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value LSPVPN_splitTunnelAcl
 default-domain value lspcoms.com.au
....
http server enable
http gcost 255.255.255.255 inside
http RaysNotebook 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
sysopt connection tcpmss 1360
sysopt noproxyarp inside
service internal
service resetinbound
service resetoutside
...
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint LSPCRL
 enrollment self
 serial-number
 crl configure
crypto ca certificate chain LSPCRL
 certificate 31
....
  quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  60
....
tunnel-group lsp type ipsec-ra
tunnel-group lsp general-attributes
 address-pool vpnpool
 default-group-policy lsp
tunnel-group lsp ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
tftp-server inside xxxx /InternetPIX
smtp-server 192.1.11.2
prompt hostname context
: end
ASKER CERTIFIED SOLUTION
debuggerau

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 8 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros