No internet for my VPN clients for LRMOORE

I have tried to follow your suggestions to other questioneers, but I still do not have Internet access for folks connecting to my PIX 7.1 firewall.
Here is my config.....
 
PIX Version 7.1(2)                  
!
hostname CPFPix              
domain-name MDVNF.COM                    
enable password XXXXXXXXX encrypted                                          
names    
!
interface Ethernet0                  
 nameif outside              
 security-level 0                
 ip address 65.207.97.162 255.255.255.224                                        
!
interface Ethernet1                  
 nameif inside              
 security-level 100                  
 ip address 128.5.0.13 255.255.0.0                                  
!
passwd XXXXXXX encrypted                                
ftp mode passive                
dns server-group DefaultDNS                          
 domain-name MDVNF.COM                      
access-list 101 extended permit tcp any host 65.207.97.174 eq
access-list 101 extended permit tcp any host 65.207.97.174 eq https
access-list 101 extended permit tcp any host 65.207.97.175 eq www
access-list 101 extended permit tcp any host 65.207.97.175 eq https
access-list 101 extended permit tcp any host 65.207.97.176 eq 4080
access-list 101 extended permit tcp any host 65.207.97.176 eq https
access-list 101 extended permit tcp any host 65.207.97.177 eq www
access-list 101 extended permit tcp any host 65.207.97.177 eq 2024
access-list 101 extended permit tcp any host 65.207.97.177 eq 2048  
access-list 101 extended permit tcp any host 65.207.97.174 eq 2024
access-list 101 extended permit tcp any host 65.207.97.174 eq 2044
access-list 101 extended permit tcp any host 65.207.97.174 eq 2048
access-list 101 extended permit tcp any host 65.207.97.178 eq www
access-list 101 extended permit tcp any host 65.207.97.178 eq smtp
access-list 101 extended permit tcp any host 65.207.97.178 eq pop3
access-list 101 extended permit tcp any host 65.207.97.179 eq 4080
access-list 101 extended permit tcp any host 65.207.97.179 eq https
access-list 101 extended permit tcp any host 65.207.97.180 eq https
access-list acl_outbound extended permit tcp 128.1.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.2.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.3.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.4.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.5.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.6.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.7.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.8.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.9.0.0 255.255.0.0 any eq www
access-list acl_outbound extended deny tcp any any eq www
access-list acl_outbound extended permit ip any any
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 128.5.200.0 255.255.255
access-list 100 extended permit ip 128.5.0.0 255.255.0.0 128.5.200.0 255.255.255
access-list VPN3000_splitTunnelAcl standard permit any
pager lines 24              
logging enable              
logging timestamp                
logging trap debugging                      
logging device-id ipaddress inside                                  
logging host inside 128.1.0.96                              
mtu outside 1500                
mtu inside 1500              
ip local pool vpnclients 128.5.200.1-128.5.200.50
no failover          
asdm image flash:/asdm                      
no asdm history enable                      
arp timeout 14400                
global (outside) 1 65.207.97.163-65.207.97.173
global (outside) 1 interface                            
nat (inside) 0 access-list 100                              
nat (inside) 1 128.1.0.0 255.255.0.0                                    
nat (inside) 1 128.2.0.0 255.255.0.0                                    
nat (inside) 1 128.3.0.0 255.255.0.0                                    
nat (inside) 1 128.4.0.0 255.255.0.0                                    
nat (inside) 1 128.5.0.0 255.255.0.0                                    
nat (inside) 1 128.6.0.0 255.255.0.0                                    
nat (inside) 1 128.7.0.0 255.255.0.0                                    
nat (inside) 1 128.8.0.0 255.255.0.0                                    
nat (inside) 1 128.9.0.0 255.255.0.0                                    
static (inside,outside) 65.207.97.174 128.5.0.14 netmask 255.255.255.255
static (inside,outside) 65.207.97.175 128.5.0.15 netmask 255.255.255.255
static (inside,outside) 65.207.97.176 128.5.0.5 netmask 255.255.255.255
static (inside,outside) 65.207.97.177 128.1.0.27 netmask 255.255.255.255
static (inside,outside) 65.207.97.178 128.1.0.28 netmask 255.255.255.255
static (inside,outside) 65.207.97.179 128.5.0.7 netmask 255.255.255.255
static (inside,outside) 65.207.97.180 128.1.0.9 netmask 255.255.255.255
access-group 101 in interface outside                                    
access-group acl_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 65.207.97.161 1
route inside 128.1.0.0 255.255.0.0 128.5.250.0 1
route inside 128.2.0.0 255.255.0.0 128.5.250.0 1
route inside 128.3.0.0 255.255.0.0 128.5.250.0 1
route inside 128.4.0.0 255.255.0.0 128.5.250.0 1
route inside 128.6.0.0 255.255.0.0 128.5.250.0 1
route inside 128.7.0.0 255.255.0.0 128.5.250.0 1
route inside 128.8.0.0 255.255.0.0 128.5.250.0 1
route inside 128.9.0.0 255.255.0.0 128.5.250.0 1
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute                              
group-policy vpn3000 internal                            
group-policy vpn3000 attributes                              
 wins-server value 128.1.0.11                            
 dns-server value 128.5.0.11                            
 vpn-idle-timeout 30                    
 vpn-tunnel-protocol IPSec                          
 ipsec-udp enable                
 split-tunnel-network-list value VPN3000_splitTunnelAcl
default-domain value mdvnf.com                              
http server enable                  
http 128.5.0.13 255.255.255.255 inside                                      
no snmp-server location                      
no snmp-server              
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MDVTRANS esp-des esp-md5-hmac
crypto dynamic-map MDVMAP 10 set transform-set MDVTRANS
crypto dynamic-map MDVMAP 20 set transform-set MDVTRANS
crypto map MDVMAP1 10 ipsec-isakmp dynamic MDVMAP
crypto map MDVMAP1 interface outside                                    
isakmp identity address                      
isakmp enable outside                    
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des                              
isakmp policy 10 hash md5                        
isakmp policy 10 group 1                        
isakmp policy 10 lif                  
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des                              
isakmp policy 20 hash md5                        
isakmp policy 20 group 2                        
isakmp policy 20 lifetime 86400                              
tunnel-group vpn3000 type ipsec-ra                                  
tunnel-group vpn3000 general-attributes                                      
 address-pool (outside) vpnclients                                  
 address-pool vpnclients                        
 authentication-server-group none                                
 authorization-server-group LOCAL                                
 default-group-policy vpn3000                            
tunnel-group vpn3000 ipsec-attributes                                    
 pre-shared-key *                
ssh timeout 5            
console timeout 0                
dhcpd dns 128.5.0.11                    
dhcpd wins 128.5.0.11                    
!
class-map inspection_default                            
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end
redcell5Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan Huseyin KayahanCommented:
  Hi redcell5
       I assume you misunderstood lrmoore,  he doesnt suggest a split tunnel like following
access-list VPN3000_splitTunnelAcl standard permit any

      Try this
      First, create a pool that is not covered by your inside subnetmask
ip local pool vpnpool 128.10.200.1-128.10.200.50

access-list split_t permit ip 128.5.0.0 255.255.0.0 128.10.200.0 255.255.255.0
tunnel-group vpn3000 general-attributes                                      
no address-pool vpnclients                        
address-pool vpnpool
exit
group-policy vpn3000 attributes                              
no split-tunnel-network-list value VPN3000_splitTunnelAcl
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_t

no access-list 100 extended permit ip 128.1.0.0 255.255.0.0 128.5.200.0 255.255.255
no access-list 100 extended permit ip 128.5.0.0 255.255.0.0 128.5.200.0 255.255.255
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 128.10.200.0 255.255.255
access-list 100 extended permit ip 128.5.0.0 255.255.0.0 128.10.200.0 255.255.255

Regards
0
redcell5Author Commented:
O.K. MRHUSY
We solved the problem of browsing the internet, but we nix'ed the ability to do inside network name resolution.  Prior to the changes above, (I know that I changed one or two things) I could resolve names and ping IP's inside the network.  Now I cannot.  Also, I wanted to be able to map an external IP 65.207.97.178 to an internal IP at a different site at 128.1.0.16.  Is there something I am missing there?


PIX Version 7.1(2)
!
hostname CPFPix
domain-name MDVNF.COM
enable password XXXXXXX encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 65.207.97.162 255.255.255.224
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 128.5.0.13 255.255.0.0
!
passwd XXXXXXXXXXXXencrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name MDVNF.COM
access-list 101 extended permit tcp any host 65.207.97.174 eq www
access-list 101 extended permit tcp any host 65.207.97.174 eq https
access-list 101 extended permit tcp any host 65.207.97.175 eq www
access-list 101 extended permit tcp any host 65.207.97.175 eq https
access-list 101 extended permit tcp any host 65.207.97.176 eq 4080
access-list 101 extended permit tcp any host 65.207.97.176 eq https
access-list 101 extended permit tcp any host 65.207.97.177 eq www
access-list 101 extended permit tcp any host 65.207.97.177 eq 2024
access-list 101 extended permit tcp any host 65.207.97.177 eq 2044
access-list 101 extended permit tcp any host 65.207.97.177 eq 2048
access-list 101 extended permit tcp any host 65.207.97.174 eq 2024
access-list 101 extended permit tcp any host 65.207.97.174 eq 2044
access-list 101 extended permit tcp any host 65.207.97.174 eq 2048
access-list 101 extended permit tcp any host 65.207.97.178 eq www
access-list 101 extended permit tcp any host 65.207.97.178 eq smtp
access-list 101 extended permit tcp any host 65.207.97.178 eq pop3
access-list 101 extended permit tcp any host 65.207.97.178 eq https
access-list 101 extended permit tcp any host 65.207.97.179 eq 4080
access-list 101 extended permit tcp any host 65.207.97.179 eq https
access-list 101 extended permit tcp any host 65.207.97.180 eq https
access-list acl_outbound extended permit tcp 128.1.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.2.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.3.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.4.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.5.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.6.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.7.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.8.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.9.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit ip any any
access-list acl_outbound extended deny tcp any any eq www
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list 100 extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list split_t extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list VPN3000_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging device-id ipaddress inside
logging host inside 128.1.0.96
mtu outside 1500
mtu inside 1500
ip local pool vnp3000clients 128.50.200.1-128.50.200.50
no failover
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 65.207.97.163-65.207.97.173
global (outside) 1 interface
nat (inside) 1 128.1.0.0 255.255.0.0
nat (inside) 1 128.2.0.0 255.255.0.0
nat (inside) 1 128.3.0.0 255.255.0.0
nat (inside) 1 128.4.0.0 255.255.0.0
nat (inside) 1 128.5.0.0 255.255.0.0
nat (inside) 1 128.6.0.0 255.255.0.0
nat (inside) 1 128.7.0.0 255.255.0.0
nat (inside) 1 128.8.0.0 255.255.0.0
nat (inside) 1 128.9.0.0 255.255.0.0
static (inside,outside) 65.207.97.174 128.5.0.14 netmask 255.255.255.255
static (inside,outside) 65.207.97.175 128.5.0.15 netmask 255.255.255.255
static (inside,outside) 65.207.97.176 128.5.0.5 netmask 255.255.255.255
static (inside,outside) 65.207.97.177 128.1.0.27 netmask 255.255.255.255
static (inside,outside) 65.207.97.179 128.5.0.7 netmask 255.255.255.255
static (inside,outside) 65.207.97.180 128.1.0.9 netmask 255.255.255.255
static (inside,outside) 65.207.97.178 128.1.0.16 netmask 255.255.255.255
access-group 101 in interface outside
access-group acl_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 65.207.97.161 1
route inside 128.1.0.0 255.255.0.0 128.5.250.0 1
route inside 128.2.0.0 255.255.0.0 128.5.250.0 1
route inside 128.3.0.0 255.255.0.0 128.5.250.0 1
route inside 128.4.0.0 255.255.0.0 128.5.250.0 1
route inside 128.6.0.0 255.255.0.0 128.5.250.0 1
route inside 128.7.0.0 255.255.0.0 128.5.250.0 1
route inside 128.8.0.0 255.255.0.0 128.5.250.0 1
route inside 128.9.0.0 255.255.0.0 128.5.250.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
 wins-server value 128.1.0.11
 dns-server value 128.5.0.11
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_t
 default-domain value mdvnf.com
http server enable
http 128.5.0.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MDVTRANS esp-des esp-md5-hmac
crypto dynamic-map MDVMAP 10 set transform-set MDVTRANS
crypto dynamic-map MDVMAP 20 set transform-set MDVTRANS
crypto map MDVMAP1 10 ipsec-isakmp dynamic MDVMAP
crypto map MDVMAP1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool (outside) vnp3000clients
 authentication-server-group none
 authorization-server-group LOCAL
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
telnet 128.1.0.16 255.255.255.255 inside
telnet 128.1.50.1 255.255.255.255 inside
telnet 128.1.50.2 255.255.255.255 inside
telnet 128.5.0.6 255.255.255.255 inside
telnet 128.5.50.3 255.255.255.255 inside
telnet 128.1.0.96 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 128.5.0.11
dhcpd wins 128.5.0.11
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end
0
Alan Huseyin KayahanCommented:
Your wins server is 128.1.0.11 and we dont have a split tunneling for that subnet. Add the following line
access-list split_t  permit ip 128.1.0.0 255.255.0.0 128.50.200.0 255.255.255.0
  As I can see, you have 9 networks inside. If you want your VPN clients to be able to communicate with them, you should add entries to acl 100 and acl split_t like above.

0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

redcell5Author Commented:
will that solve the pinging issue to the 128.1.0.0 network as well?
0
Alan Huseyin KayahanCommented:
"Also, I wanted to be able to map an external IP 65.207.97.178 to an internal IP at a different site at 128.1.0.16.  Is there something I am missing there"

As far as I know, route should point to interface IP not a network IP. Following statement is wrong (also for all other networks)
route inside 128.1.0.0 255.255.0.0 128.5.250.0
0
Alan Huseyin KayahanCommented:
"will that solve the pinging issue to the 128.1.0.0 network as well?"
As far as you have wrong route statements as I mentioned above, nothing will work
0
redcell5Author Commented:
I found this.....
It is common to use a default route to the untrusted side of the PIX (the outside interface). The following is an example of how the route commands might be configured if the outside interface were connected to the Internet and the inside interface were connected to your company intranet, which consists of three subnets. The inside interface is directly connected to the 10.2.0.0 255.255.0.0 subnet. The 10.3.0.0 and 10.4.0.0 subnets are reached via a router with a local interface of 10.2.1.4.

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 10.3.0.0 255.255.0.0 10.2.1.4 1
route inside 10.4.0.0 255.255.0.0 10.2.1.4 1With the default route, any traffic that is permitted to pass through the PIX that has a destination network other than 10.2.0.0, 10.3.0.0, and 10.4.0.0 will be passed through the outside interface to 192.168.1.1 for routing.

The firewall is directly connected to the internet....128.5.250.0 is the interface of the router inside. the 128.1.0.0-128.9.0.0 are inside my network.

I put the statement in you mentoined " access-list split_t  permit ip 128.1.0.0 255.255.0.0 128.50.200.0 255.255.255.0" with no avail....
Thoughts?  Your help is greatly appreciated!
R
0
redcell5Author Commented:
This one's getting tougher....no internet access now.
0
redcell5Author Commented:
from the asa ping inside interface to 128.1.0.16 sent 5 100% success.....cannot do this from VPN client however....
0
redcell5Author Commented:
any one have some insight on this?
0
redcell5Author Commented:
HELP PLEASE ANYONE?????
no joy......
I can connect to the internet when I am on VPN, but no ping and I still cannot get the external mapping to the internal address on the other subnet weather I am VPN'd or not.....

here is the latest config file......
show run
: Saved
:
PIX Version 7.1(2)
!
hostname CPFPix
domain-name MDVNF.COM
enable password XXXXXXX encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 65.207.97.162 255.255.255.224
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 128.5.0.13 255.255.0.0
!
passwd XXXXXXXXXencrypted
ftp mode passive
dns server-group DefaultDNS
domain-name MDVNF.COM
access-list 101 extended permit tcp any host 65.207.97.174 eq www
access-list 101 extended permit tcp any host 65.207.97.174 eq https
access-list 101 extended permit tcp any host 65.207.97.175 eq www
access-list 101 extended permit tcp any host 65.207.97.175 eq https
access-list 101 extended permit tcp any host 65.207.97.176 eq 4080
access-list 101 extended permit tcp any host 65.207.97.176 eq https
access-list 101 extended permit tcp any host 65.207.97.177 eq www
access-list 101 extended permit tcp any host 65.207.97.177 eq 2024
access-list 101 extended permit tcp any host 65.207.97.177 eq 2044
access-list 101 extended permit tcp any host 65.207.97.177 eq 2048
access-list 101 extended permit tcp any host 65.207.97.174 eq 2024
access-list 101 extended permit tcp any host 65.207.97.174 eq 2044
access-list 101 extended permit tcp any host 65.207.97.174 eq 2048
access-list 101 extended permit tcp any host 65.207.97.178 eq www
access-list 101 extended permit tcp any host 65.207.97.178 eq smtp
access-list 101 extended permit tcp any host 65.207.97.178 eq pop3
access-list 101 extended permit tcp any host 65.207.97.178 eq https
access-list 101 extended permit tcp any host 65.207.97.179 eq 4080
access-list 101 extended permit tcp any host 65.207.97.179 eq https
access-list 101 extended permit tcp any host 65.207.97.180 eq https
access-list acl_outbound extended permit tcp 128.1.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.2.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.3.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.4.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.5.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.6.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.7.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.8.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.9.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit ip any any
access-list acl_outbound extended deny tcp any any eq www
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list 100 extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list split_t extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list VPN3000_splitTunnelAcl standard permit any
access-list nonat extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging device-id ipaddress inside
logging host inside 128.1.0.96
mtu outside 1500
mtu inside 1500
ip local pool vnp3000clients 128.50.200.1-128.50.200.50
no failover
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 65.207.97.163-65.207.97.173
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 128.1.0.0 255.255.0.0
nat (inside) 1 128.2.0.0 255.255.0.0
nat (inside) 1 128.3.0.0 255.255.0.0
nat (inside) 1 128.4.0.0 255.255.0.0
nat (inside) 1 128.5.0.0 255.255.0.0
nat (inside) 1 128.6.0.0 255.255.0.0
nat (inside) 1 128.7.0.0 255.255.0.0
nat (inside) 1 128.8.0.0 255.255.0.0
nat (inside) 1 128.9.0.0 255.255.0.0
static (inside,outside) 65.207.97.174 128.5.0.14 netmask 255.255.255.255
static (inside,outside) 65.207.97.175 128.5.0.15 netmask 255.255.255.255
static (inside,outside) 65.207.97.176 128.5.0.5 netmask 255.255.255.255
static (inside,outside) 65.207.97.177 128.1.0.27 netmask 255.255.255.255
static (inside,outside) 65.207.97.179 128.5.0.7 netmask 255.255.255.255
static (inside,outside) 65.207.97.180 128.1.0.9 netmask 255.255.255.255
static (inside,outside) 65.207.97.178 128.1.0.16 netmask 255.255.255.255
access-group 101 in interface outside
access-group acl_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 65.207.97.161 1
route inside 128.1.0.0 255.255.0.0 128.5.250.0 1
route inside 128.2.0.0 255.255.0.0 128.5.250.0 1
route inside 128.3.0.0 255.255.0.0 128.5.250.0 1
route inside 128.4.0.0 255.255.0.0 128.5.250.0 1
route inside 128.6.0.0 255.255.0.0 128.5.250.0 1
route inside 128.7.0.0 255.255.0.0 128.5.250.0 1
route inside 128.8.0.0 255.255.0.0 128.5.250.0 1
route inside 128.9.0.0 255.255.0.0 128.5.250.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
 wins-server value 128.1.0.11
 dns-server value 128.5.0.11
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_t
 default-domain value mdvnf.com
http server enable
http 128.5.0.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MDVTRANS esp-des esp-md5-hmac
crypto dynamic-map MDVMAP 10 set transform-set MDVTRANS
crypto dynamic-map MDVMAP 20 set transform-set MDVTRANS
crypto map MDVMAP1 10 ipsec-isakmp dynamic MDVMAP
crypto map MDVMAP1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp nat-traversal  20
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool (outside) vnp3000clients
 authentication-server-group none
 authorization-server-group LOCAL
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 128.5.0.11
dhcpd wins 128.5.0.11
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end

 
0
Alan Huseyin KayahanCommented:
the text you found has no relationship with your scenario.
"The firewall is directly connected to the internet....128.5.250.0 is the interface of the router inside"
you can not assign this as an interface ip, 0 is a network ID, just like you can not assign 128.5.200.255 because it is the broadcast. First assign a valid IP to your router
  Do not play around your default route (the following entry) it makes you acces internet, it is correct  that 65.207.97.161 is a correct IP address.
route outside 0.0.0.0 0.0.0.0 65.207.97.161  
0
redcell5Author Commented:
Duhhh...didn't even see that....
So if I change my E) ip to say 128.5.250.1 as illustrated below, this shopuld open a whole lot of things?
I feel kind of dumb right now.

interface Ethernet0
 ip address 128.5.250.1 255.255.0.0
 ip helper-address 128.1.0.29
 ip helper-address 128.1.0.26
 ip helper-address 128.1.0.96
 no ip redirects
 no ip mroute-cache
 media-type 10BaseT
 ipx network 5
 ipx type-20-propagation
 no mop enabled
0
Alan Huseyin KayahanCommented:
  Your problem will be resolved as you make the change above. Dont forget to set your routes in PIX to 128.5.250.1 except default route
    We all do simple mistakes sometimes :)
0
redcell5Author Commented:
Well MrHusy,
Here is the response from my boss....
If the subnet mask is 255.255.0.0 then 128.1.250.0 is a perfectly valid IP address....thoughts?
0
Alan Huseyin KayahanCommented:
  Thats correct, missed the B class IP of router. Then you should be able to ping a client in 128.1.0.0
    In CLI of PIX, type
    ping 128.1.0.16
    And please post the output of  
    traceroute 128.1.0.16

 
0
redcell5Author Commented:
While connected via terminal server, I can ping 128.1.0.16, but I cannot ping anything when connected via VPN.
Everytime I try a traceroute command on the F/W I get this
CPFPix# traceroute
         ^
ERROR: % Invalid input detected at '^' marker.
CPFPix#
0
Alan Huseyin KayahanCommented:
ah... your IOS is 7.1, doesnt support traceroute.
"While connected via terminal server" connected to where?
   Please post the outpuut of tracert 128.1.0.16 in command line of a PC connected via VPN client
   
0
redcell5Author Commented:
doh.....
I was connected via telnet....Inside the network, sorry....will post the trace in a few...
0
redcell5Author Commented:
Here is the trace result to 128.1.0.16 from an external VPN client connecting to the Firewall.
tracert.bmp
0
Alan Huseyin KayahanCommented:
Ah... my bad.
   You have to add reverse route for 128.50.200.0 255.255.255.0 into your router! 128.5.250.0 to 128.5.0.13
  ip route 128.50.200.0 255.255.255.0 128.5.0.13
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
redcell5Author Commented:
Woohoo!!!!!
That did it......
Thanks SO much
0
Alan Huseyin KayahanCommented:
You are welcome :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.