?
Solved

Vpn tunnel with VPN client works fine, but no internet access anymore

Posted on 2008-02-07
33
Medium Priority
?
649 Views
Last Modified: 2013-11-08
Hello all,
I have a PIX 501 firewall at home. I programmed with the PDM manager a VPN client. I am using the Cisco client to access my home PIX 501.

The VPN connection works fine, but I don't have any internet access anymore after I build the tunnel.

There must be something wrong in the route, the config is shown below:
: Saved
: Written by enable_15 at 16:45:34.346 CEST Thu Feb 7 2008
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 10htpePS/vtVvnu7 encrypted
passwd 10htpePS/vtVvnu7 encrypted
hostname MJMSTUDIO-ARNHEM
domain-name mjmstudio.nl
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 20
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.19.4 ROADRUNNER
name 192.168.19.3 ZAXXON
name 192.168.19.10 GOOFY
name 192.168.19.5 ASUS-WL
name 192.168.19.100 DELL1700N
name 192.168.19.0 ArnhemNet
name ***.***.172.15 mjmstudio.nl
access-list acl_inside permit ip any any
access-list acl_inside permit tcp any eq telnet any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq 5900
access-list outside_access_in permit tcp any interface outside eq 5800
access-list outside_access_in permit tcp any interface outside eq ftp-data
access-list outside_access_in permit tcp any interface outside eq ftp
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq 18190
access-list outside_access_in permit tcp any interface outside eq smtp
access-list inside_outbound_nat0_acl permit ip any 192.168.19.128 255.255.255.248
access-list inside_outbound_nat0_acl permit ip ArnhemNet 255.255.255.0 192.168.199.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip any 192.168.38.96 255.255.255.224
access-list vpnremote_splitTunnelAcl permit ip ArnhemNet 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.38.96 255.255.255.224
access-list mjmstudio_splitTunnelAcl permit ip any any
access-list inbound permit udp any any eq 119
access-list inbound permit tcp any any eq https
access-list inbound permit tcp any any eq nntp
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp retry 4
ip address inside 192.168.19.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.38.100-192.168.38.125
pdm location ZAXXON 255.255.255.255 inside
pdm location GOOFY 255.255.255.255 inside
pdm location ASUS-WL 255.255.255.255 inside
pdm location DELL1700N 255.255.255.255 inside
pdm location ArnhemNet 255.255.255.0 inside
pdm location mjmstudio.nl 255.255.255.255 outside
pdm location ***.***.38.0 255.255.255.0 outside
pdm location 192.168.19.128 255.255.255.248 outside
pdm location 192.168.199.0 255.255.255.128 outside
pdm location 0.0.0.60 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 ZAXXON 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data GOOFY ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp GOOFY ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www ZAXXON www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 ZAXXON 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp ZAXXON smtp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 mjmstudio.nl 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:00:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http ArnhemNet 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside ZAXXON D:\Cisco
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map_1 interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mjmstudio address-pool vpnpool
vpngroup mjmstudio dns-server ZAXXON 212.142.28.66
vpngroup mjmstudio wins-server ZAXXON
vpngroup mjmstudio default-domain mjmstudio.nl
vpngroup mjmstudio split-tunnel mjmstudio_splitTunnelAcl
vpngroup mjmstudio idle-time 1800
vpngroup mjmstudio password ********
telnet ***.***.38.0 255.255.255.0 outside
telnet ArnhemNet 255.255.255.0 inside
telnet 0.0.0.60 255.255.255.255 inside
telnet timeout 60
ssh ***.***.***.0 255.255.255.0 outside
ssh ***.***.38.0 255.255.255.0 outside
ssh 0.0.0.60 255.255.255.255 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.19.90-192.168.19.99 inside
dhcpd dns ZAXXON
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain mjmstudio.nl
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:ebb46f2805a13389f0c8574b34c3e137
MJMSTUDIO-ARNHEM#


0
Comment
Question by:mjmatthijssen
  • 18
  • 9
  • 5
  • +1
33 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 20842312
So, you have no access from inside or outside when using the VPN? Im ont quite clear on the issue here which is why I am asking the q'n.....

Let us know.
0
 

Author Comment

by:mjmatthijssen
ID: 20842348
Hello,

I am currently on a remote location. And when I build a VPN tunnel to my home PIX, internet access isn't possible anymore.
I am using the Cisco VPN Client
0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 20842358
Cisco VPN's clients are rather unique. You have to make sure you allow split tunneling for the client from the delegating VPN server.

See this EE thread:
http://www.experts-exchange.com/Security/Misc/Q_21347725.html
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 

Author Comment

by:mjmatthijssen
ID: 20842360
But I am able to access my internal network from the remote site. So the tunnel is working fine, but I loose the possibility to access just the internet / web.
0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 20842428
Unless split tunneling is enabled, you won't be able to go outside your tunneled network.
0
 

Author Comment

by:mjmatthijssen
ID: 20842565
Can you please check the config. it's rather standard,..
0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 20850778
Took another look at it and recommend adding this in:

vpngroup mjmstudio split-tunnel mjmstudio_splitTunnelAcl

access-list mjmstudio_splitTunnelAcl permit ip any any

0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 20850895
You also need to change the "mjmstudio_splitTunnelAcl" to something like...

access-list mjmstudio_splitTunnelAcl permit ip ArnhemNet 255.255.255.0 any
0
 

Author Comment

by:mjmatthijssen
ID: 20948368
Hello,

I changed the config with a radius server. The VPN tunnel comes UP, but I am not able to browse my internal network and I can also not access the internet when the tunnel is UP.
Config is shown below:
0
 

Author Comment

by:mjmatthijssen
ID: 20948448
login as: pix
Sent username "pix"
pix@www.mjmstudio.nl's password:
Type help or '?' for a list of available commands.
pix-ArnhemNet>
pix-ArnhemNet> en
Password: *******
pix-ArnhemNet# sh conf
: Saved
: Written by enable_15 at 22:35:29.790 UTC Wed Feb 20 2008
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 10htpePS/vtVvnu7 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-ArnhemNet
domain-name mjmstudio.nl
fixup protocol dns
fixup protocol ftp 20
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.19.4 ROADRUNNER
name 192.168.19.3 ZAXXON
name 192.168.19.10 GOOFY
name 192.168.19.5 ASUS-WL
name 192.168.19.100 DELL1700N
name 192.168.19.2 MISSPIGGY
name 192.168.19.75 XBOX360
name 213.93.172.15 mjmstudio.nl
name 192.168.19.0 ArnhemNet
access-list acl_inside permit ip any any
access-list acl_inside permit tcp any eq telnet any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq 5900
access-list outside_access_in permit tcp any interface outside eq 5800
access-list outside_access_in permit tcp any interface outside eq ftp-data
access-list outside_access_in permit tcp any interface outside eq ftp
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq 18190
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq 88
access-list outside_access_in permit tcp any interface outside eq 3074
access-list outside_access_in permit tcp any interface outside eq 5901
access-list outside_access_in permit tcp any interface outside eq 3390
access-list outside_access_in permit udp any interface outside eq 3074
access-list outside_access_in permit udp any interface outside eq 88
access-list outside_access_in permit tcp any interface outside eq pop3
access-list outside_access_in permit tcp any interface outside eq https
access-list outside permit tcp any interface outside eq 3074
access-list outside permit udp any interface outside eq 3074
access-list outside permit udp any interface outside eq 88
access-list outside permit tcp any interface outside eq pop3
access-list 102 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 101 permit tcp any eq domain any
access-list 101 permit udp any eq domain any
access-list inbound permit udp any any eq 119
access-list inbound permit tcp any any eq https
access-list inbound permit tcp any any eq nntp
access-list inbound permit tcp any any eq pop3
access-list xboxlive_inbound permit tcp any interface outside eq 3074
access-list xboxlive_inbound permit udp any interface outside eq 3074
access-list xboxlive_inbound permit udp any interface outside eq 88
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp retry 4
ip address inside 192.168.19.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location ZAXXON 255.255.255.255 inside
pdm location GOOFY 255.255.255.255 inside
pdm location ASUS-WL 255.255.255.255 inside
pdm location DELL1700N 255.255.255.255 inside
pdm location 89.146.38.0 255.255.255.0 outside
pdm location MISSPIGGY 255.255.255.255 inside
pdm location XBOX360 255.255.255.255 inside
pdm location 0.0.0.60 255.255.255.255 inside
pdm location ArnhemNet 255.255.255.255 inside
pdm location ROADRUNNER 255.255.255.255 inside
pdm location 192.168.19.128 255.255.255.248 outside
pdm location 192.168.50.48 255.255.255.240 outside
pdm location 192.168.199.0 255.255.255.128 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 ZAXXON 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data GOOFY ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp GOOFY ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www ZAXXON www netmask 255.255.255.255 0 0                                        
static (inside,outside) tcp interface 5900 ZAXXON 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp MISSPIGGY smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3074 XBOX360 3074 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 88 XBOX360 88 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3074 XBOX360 3074 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 88 XBOX360 88 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3390 MISSPIGGY 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 MISSPIGGY pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https MISSPIGGY https netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 mjmstudio.nl 1
route inside 10.1.1.0 255.255.255.0 192.168.19.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host ZAXXON ******* timeout 10
http server enable
http 0.0.0.0 0.0.0.0 outside
http ROADRUNNER 255.255.255.255 inside
http ArnhemNet 255.255.255.255 inside
http ArnhemNet 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server MISSPIGGY
vpngroup vpn3000 wins-server MISSPIGGY
vpngroup vpn3000 default-domain mjmstudio.nl
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 89.146.38.0 255.255.255.0 outside
telnet ArnhemNet 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 89.146.38.0 255.255.255.0 outside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:9f0a27d57109652a8d1aaadc9363d88c
pix-ArnhemNet#
0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 20950321
ACL 102 doesn't look right.  Isn't the source network 192.168.19.0/24?
0
 

Author Comment

by:mjmatthijssen
ID: 20951056
yes,

my internal network is 192.168.19.0/24
0
 
LVL 4

Expert Comment

by:aconaway1
ID: 20960005
It looks like your ACL controlling NAT (ACL 102) says to NAT 0 (or not to NAT) traffic from 10.1.1.0/24 to 10.1.2.0/24.  If you're coming from 192.168.19.0/24, you'll need to add that to the ACL so that traffic destined for the VPN pool is not NATted.

access-list 102 permit ip 192.168.19.0 255.255.255.0 10.1.2.0 255.255.255.0
0
 

Author Comment

by:mjmatthijssen
ID: 20960217
I changed rule :
access-list 102 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
to:
access-list 102 permit ip 10.1.1.0 255.255.255.0 192.168.19.0 255.255.255.0

results:
The vpn with Radius works, but no internet or connection to the local network
0
 
LVL 4

Expert Comment

by:aconaway1
ID: 20961625
Here's another culprit:

access-list mjmstudio_splitTunnelAcl permit ip any any

This says to encrypt traffic from any to any and send it over the VPN tunnel.  Assuming you want to get to the 192.168.19.0/24 network only, change it to this.

access-list mjmstudio_splitTunnelAcl permit ip any 192.168.19.0 255.255.255.0
0
 

Author Comment

by:mjmatthijssen
ID: 20961687
aconaway1, I would like to access my home network from a other location and also be able to access the network were I am located.

so which option will be the best?

Thanks Marco
0
 
LVL 4

Expert Comment

by:aconaway1
ID: 20962087
mjm:

If you make the change to mjmstudio_splitTunnelAcl, you'll only send traffic across the VPN if it's destined for 192.168.19.0/24.  Any other traffic will go out the NIC of the machine you're on as if the VPN wasn't even connected.  This is probably the best option for security and ease-of-use.
0
 

Author Comment

by:mjmatthijssen
ID: 20962676
aco,
I put in the rule, so I should be able to access my private network. The problem isn't solved yet..

What is working: I am able to make the connection to my PIX, I am able to login with my account (Radius).
But I am not able to access the internet anymore or access the private remote network.
This must be a NAT issue.
I will send over the current config.

Thanks
0
 

Author Comment

by:mjmatthijssen
ID: 20962721
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 10htpePS/vtVvnu7 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-ArnhemNet
domain-name mjmstudio.nl
fixup protocol dns
fixup protocol ftp 20
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.19.4 ROADRUNNER
name 192.168.19.3 ZAXXON
name 192.168.19.10 GOOFY
name 192.168.19.5 ASUS-WL
name 192.168.19.100 DELL1700N
name 192.168.19.2 MISSPIGGY
name 192.168.19.75 XBOX360
name 213.***.***.15 mjmstudio.nl
name 192.168.19.0 ArnhemNet
access-list acl_inside permit ip any any
access-list acl_inside permit tcp any eq telnet any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq 5900
access-list outside_access_in permit tcp any interface outside eq 5800
access-list outside_access_in permit tcp any interface outside eq ftp-data
access-list outside_access_in permit tcp any interface outside eq ftp
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq 18190
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq 88
access-list outside_access_in permit tcp any interface outside eq 3074
access-list outside_access_in permit tcp any interface outside eq 5901
access-list outside_access_in permit tcp any interface outside eq 3390
access-list outside_access_in permit udp any interface outside eq 3074
access-list outside_access_in permit udp any interface outside eq 88
access-list outside_access_in permit tcp any interface outside eq pop3
access-list outside_access_in permit tcp any interface outside eq https
access-list outside permit tcp any interface outside eq 3074
access-list outside permit udp any interface outside eq 3074
access-list outside permit udp any interface outside eq 88
access-list outside permit tcp any interface outside eq pop3
access-list 102 permit ip ArnhemNet 255.255.255.0 10.1.1.0 255.255.255.0
access-list 101 permit tcp any eq domain any
access-list 101 permit udp any eq domain any
access-list inbound permit udp any any eq 119
access-list inbound permit tcp any any eq https
access-list inbound permit tcp any any eq nntp
access-list inbound permit tcp any any eq pop3
access-list xboxlive_inbound permit tcp any interface outside eq 3074
access-list xboxlive_inbound permit udp any interface outside eq 3074
access-list xboxlive_inbound permit udp any interface outside eq 88
access-list mjmstudio_splitTunnelAcl permit ip any any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp retry 4
ip address inside 192.168.19.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location ZAXXON 255.255.255.255 inside
pdm location GOOFY 255.255.255.255 inside
pdm location ASUS-WL 255.255.255.255 inside
pdm location DELL1700N 255.255.255.255 inside
pdm location 89.146.38.0 255.255.255.0 outside
pdm location MISSPIGGY 255.255.255.255 inside
pdm location XBOX360 255.255.255.255 inside
pdm location 0.0.0.60 255.255.255.255 inside
pdm location ArnhemNet 255.255.255.255 inside
pdm location ROADRUNNER 255.255.255.255 inside
pdm location 192.168.19.128 255.255.255.248 outside
pdm location 192.168.50.48 255.255.255.240 outside
pdm location 192.168.199.0 255.255.255.128 outside
pdm location 10.1.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 ZAXXON 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data GOOFY ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp GOOFY ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www ZAXXON www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 ZAXXON 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp MISSPIGGY smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3074 XBOX360 3074 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 88 XBOX360 88 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3074 XBOX360 3074 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 88 XBOX360 88 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3390 MISSPIGGY 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 MISSPIGGY pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https MISSPIGGY https netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 mjmstudio.nl 1
route inside 10.1.1.0 255.255.255.0 192.168.19.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host ZAXXON ******* timeout 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host ZAXXON ftfrf05 timeout 10
http server enable
http 0.0.0.0 0.0.0.0 outside
http ROADRUNNER 255.255.255.255 inside
http ArnhemNet 255.255.255.255 inside
http ArnhemNet 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
auth-prompt prompt prompt
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server MISSPIGGY
vpngroup vpn3000 wins-server MISSPIGGY
vpngroup vpn3000 default-domain mjmstudio.nl
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 89.146.38.0 255.255.255.0 outside
telnet ArnhemNet 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 89.146.38.0 255.255.255.0 outside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:1075cbe1c50642c495ddd3503ae8f87d
0
 
LVL 4

Expert Comment

by:aconaway1
ID: 20962888
It looks like the split tunneling is working, but, since you're serving a DNS server over the VPN and still having problems with it, you're not able to resolve any IP addresses.

Another problem I see is in the NAT.  When you create a VPN connection, you have to tell the PIX not to NAT traffic back to the VPN pool, so add this and see what happens.

access-list NONAT permit ip 192.168.19.0 255.255.255.0 10.1.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
0
 

Author Comment

by:mjmatthijssen
ID: 20964271
thanks aco.

I will add it today and keep you posted
0
 

Author Comment

by:mjmatthijssen
ID: 20964336
aco..

is the rule you sent me ok? because I thought that it should be this:
access-list NONAT permit ip 192.168.19.0 255.255.255.0 10.1.1.0 255.255.255.0

Little difference 10.1.2.0   instead of 10.1.1.0
0
 
LVL 4

Expert Comment

by:aconaway1
ID: 20965620
Your VPN pool is 10.2.1.0/24, so that's what you need to use.
0
 
LVL 4

Expert Comment

by:aconaway1
ID: 20984918
Did that work for you?
0
 

Author Comment

by:mjmatthijssen
ID: 20984967
Sorry,

I removed all the settings.. got crazy from it. No I am trying to do it an other way. without radius..
And it still doesn't work.. I will need to check all the settings of the current config..
Do you want to see the new config
0
 
LVL 4

Expert Comment

by:aconaway1
ID: 20985330
Sure...drop the new config down.
0
 

Author Comment

by:mjmatthijssen
ID: 20995454
he aco,

below is the config again.

I do have the following situation: VPN connection does work. But after that no internet or access to the local nor the remote network. must be nat...
Config is as follow
Broadband connection -> PIX -> Switch -> SBS 2003 server
External IP 213.93...
Internal IP 192.168.19.x

Cisco PIx 501 2 interfaces 0 and 1
Switch
0
 

Author Comment

by:mjmatthijssen
ID: 20995471

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 10htpePS/vtVvnu7 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-ArnhemNet
domain-name mjmstudio.nl
fixup protocol dns
fixup protocol ftp 20
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.19.4 ROADRUNNER
name 192.168.19.3 ZAXXON
name 192.168.19.10 GOOFY
name 192.168.19.5 ASUS-WL
name 192.168.19.100 DELL1700N
name 192.168.19.75 XBOX360
name 213.93.172.15 mjmstudio.nl
name 192.168.19.0 ArnhemNet
name 192.168.19.2 GALAXY
name 89.146.38.0 Sprite-IT
access-list acl_inside permit ip any any
access-list acl_inside permit tcp any eq telnet any
access-list outside permit tcp any interface outside eq 3074
access-list outside permit udp any interface outside eq 3074
access-list outside permit udp any interface outside eq 88
access-list outside permit tcp any interface outside eq pop3
access-list 101 permit tcp any eq domain any
access-list 101 permit udp any eq domain any
access-list 101 permit icmp any any
access-list 101 permit tcp any interface outside eq 3389
access-list 101 permit tcp any interface outside eq 5900
access-list 101 permit tcp any interface outside eq 5800
access-list 101 permit tcp any interface outside eq ftp-data
access-list 101 permit tcp any interface outside eq ftp
access-list 101 permit tcp any interface outside eq www
access-list 101 permit tcp any interface outside eq 18190
access-list 101 permit tcp any interface outside eq smtp
access-list 101 permit tcp any interface outside eq 88
access-list 101 permit tcp any interface outside eq 3074
access-list 101 permit tcp any interface outside eq 5901
access-list 101 permit tcp any interface outside eq 3390
access-list 101 permit udp any interface outside eq 3074
access-list 101 permit udp any interface outside eq 88
access-list 101 permit tcp any interface outside eq pop3
access-list 101 permit tcp any interface outside eq https
access-list inbound permit udp any any eq 119
access-list inbound permit tcp any any eq https
access-list inbound permit tcp any any eq nntp
access-list inbound permit tcp any any eq pop3
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp retry 4
ip address inside 192.168.19.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.25
pdm location ZAXXON 255.255.255.255 inside
pdm location GOOFY 255.255.255.255 inside
pdm location ASUS-WL 255.255.255.255 inside
pdm location DELL1700N 255.255.255.255 inside
pdm location Sprite-IT 255.255.255.0 outside
pdm location XBOX360 255.255.255.255 inside
pdm location ArnhemNet 255.255.255.255 inside
pdm location ROADRUNNER 255.255.255.255 inside
pdm location GALAXY 255.255.255.255 inside
pdm location 192.168.200.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 ZAXXON 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data GOOFY ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp GOOFY ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 ZAXXON 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3074 XBOX360 3074 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 88 XBOX360 88 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3074 XBOX360 3074 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 88 XBOX360 88 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3390 GALAXY 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www GALAXY www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https GALAXY https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3391 ROADRUNNER 3389 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 mjmstudio.nl 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host GALAXY ftfrf05 timeout 10
http server enable
http 0.0.0.0 0.0.0.0 outside
http ROADRUNNER 255.255.255.255 inside
http ArnhemNet 255.255.255.255 inside
http ArnhemNet 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup home address-pool ippool
vpngroup home dns-server GALAXY
vpngroup home wins-server GALAXY
vpngroup home default-domain mjmstudio.nl
vpngroup home idle-time 1800
vpngroup home password ********
vpngroup homedns-server idle-time 1800
telnet Sprite-IT 255.255.255.0 outside
telnet ArnhemNet 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh Sprite-IT 255.255.255.0 outside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:c2f20300f2ae8c3b453dc16a59b3f3f9
: end
pix-ArnhemNet#
0
 

Author Comment

by:mjmatthijssen
ID: 20995591
I added the following rule:

access-list 101 permit ip 10.2.1.0 255.255.255.0 192.168.19.0 255.255.255.0
0
 
LVL 4

Accepted Solution

by:
aconaway1 earned 2000 total points
ID: 20999547
*  You have access-list 101 as both your NAT0 and your inbound filter.  That's not going to work at all.

*  The line "nat (inside) 0 access-list 101" says what not to NAT and has to be a host- or network-based ACl.  You can't say to permit TCP/80...it has to be all IP from host to host.

Try this:

access-list 102 permit ip 192.168.19.0 255.255.255.0 10.1.2.0 255.255.255.0

nat (inside) 0 access-list 102

*  You've also got an IP pool that's not a subnet boundary which may cause problems in the future.  Not a big deal, but just remember that 10.1.2.26-255 aren't really usable in this setup.

Let's try that and see what happens.
0
 

Author Comment

by:mjmatthijssen
ID: 21007445
I changed tha setings, and will try tomorrow from a remote location if it works
0
 

Author Comment

by:mjmatthijssen
ID: 21036490
Hi,

I added the following rules and everything is working now.
access-list split-tunnel permit ip ArnhemNet 255.255.255.0 10.1.2.0 255.255.255.0
vpngroup home split-tunnel split-tunnel

0
 
LVL 4

Expert Comment

by:aconaway1
ID: 21036682
I received an email saying that this question will be closed and the points refunded.  I completely object to this since I put in several comments and gave a working solution twice since the asker decided to start over from scratch.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we have discussed the manual scenarios to recover data from Windows 10 through some backup and recovery tools which are offered by it.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question