WendellUrth
asked on
PIX 501 VPN remote access - cannot reach internet / dns
Hi all,
I have a CISCO pix 501 setup at the office to provide firewall and VPN. Internet connection is working fine from Office- > Pix -> Internet.
I have been through the VPN wizard to enable remote access and enabled NAT traversal. This allows me to ping and remote desktop to hosts in my office, from home.
A number of our servers in datacenters are locked down to only allow connections from certain IPs - in this case the external address of the Pix 501 at our office. I need to be able to VPN from home and then access these servers securely. Therefore these servers must be accessed from the external IP address of the pix.
with the configuration below i CAN access internal hosts when VPN'd into the office, but i cannot browse the internet or ping hosts on the internet when VPN'd into the office.
Can someone be kind enough to advise me how i can configure this? Split tunnelling would not suffice as the traffic would not be coming from the office network!
I have more public ip addresses available if that would assist the configuration.
I have included my firewall config below with any company specific details, public IPS and passwords hashed out.
I have included my IP config output once connected to the VPN if that helps!!
I have a CISCO pix 501 setup at the office to provide firewall and VPN. Internet connection is working fine from Office- > Pix -> Internet.
I have been through the VPN wizard to enable remote access and enabled NAT traversal. This allows me to ping and remote desktop to hosts in my office, from home.
A number of our servers in datacenters are locked down to only allow connections from certain IPs - in this case the external address of the Pix 501 at our office. I need to be able to VPN from home and then access these servers securely. Therefore these servers must be accessed from the external IP address of the pix.
with the configuration below i CAN access internal hosts when VPN'd into the office, but i cannot browse the internet or ping hosts on the internet when VPN'd into the office.
Can someone be kind enough to advise me how i can configure this? Split tunnelling would not suffice as the traffic would not be coming from the office network!
I have more public ip addresses available if that would assist the configuration.
I have included my firewall config below with any company specific details, public IPS and passwords hashed out.
I have included my IP config output once connected to the VPN if that helps!!
ip local pool xxxxxx_VPN 192.168.10.10-192.168.10.20
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xx.xxx.149.89 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxxxxx address-pool xxxxxx_VPN
vpngroup xxxxxx dns-server xx.xxx.230.10 xx.xxx.231.8
vpngroup xxxxxx idle-time 1800
vpngroup xxxxxx password xxxxxxx
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.2-10.0.0.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username testuser password xxxxxxxxxx encrypted privilege 15
terminal width 80
My ip config output:
Windows IP Configuration
Host Name . . . . . . . . . . . . : xxxxxx
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
PPP adapter T-Mobile:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.35.180.90
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.35.180.90
DNS Servers . . . . . . . . . . . : 149.254.192.126
149.254.201.126
Primary WINS Server . . . . . . . : 10.11.12.13
Secondary WINS Server . . . . . . : 10.11.12.14
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter PUBLIC:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connect
ion
Physical Address. . . . . . . . . : 00-13-72-1B-1B-24
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.10
DNS Servers . . . . . . . . . . . : xx.xxx.xxx.10
xx.xxx.xxx.8
Last Comment
ASKER
Hi ebjers,
I am using the CISCO VPN client at home. I need the internet browsing and ssh client traffic to be routed over the VPN and out the pix in the office, so that the IP address it originates from is that of the outside interface of the pix in the office. The servers i am browsing / ssh-ing to are secured by IP address. Communicating with them will need to be done from a particular known IP address(s).
Split tunneling i believe would mean that the traffic would be unencrypted and would come from the source address of my ADSL home connection?
Any thoughts?
Thanks..
I am using the CISCO VPN client at home. I need the internet browsing and ssh client traffic to be routed over the VPN and out the pix in the office, so that the IP address it originates from is that of the outside interface of the pix in the office. The servers i am browsing / ssh-ing to are secured by IP address. Communicating with them will need to be done from a particular known IP address(s).
Split tunneling i believe would mean that the traffic would be unencrypted and would come from the source address of my ADSL home connection?
Any thoughts?
Thanks..
If the traffic comes through the VPN it is going to appear that it is coming from an inside IP address, you can not make it look like it's coming from your outside IP address with out some kind of IP spoofing.
eb
eb
ASKER
Hi eb,
Thanks, maybe i have not worded my question correctly or maybe it is indeed not possible, simply put i would like all my traffic (once connected to the VPN) to be encrypted.
Once i am connected to the VPN i would be expecting to be able to:
1. ping an internal host
2. ping google.co.uk (the traffic leaving via my VPN connection and leaving the outside interface of the pix for the internet)
Essentially, once connected to the VPN, i would like to open up the following page:
http://www.whatsmyip.org/
and see the IP displayed as the outside interface of my pix, NOT the dynamically assigned ip address that my home adsl connection has given me!
Does that make anything clearer? Is this possible?
Thanks, maybe i have not worded my question correctly or maybe it is indeed not possible, simply put i would like all my traffic (once connected to the VPN) to be encrypted.
Once i am connected to the VPN i would be expecting to be able to:
1. ping an internal host
2. ping google.co.uk (the traffic leaving via my VPN connection and leaving the outside interface of the pix for the internet)
Essentially, once connected to the VPN, i would like to open up the following page:
http://www.whatsmyip.org/
and see the IP displayed as the outside interface of my pix, NOT the dynamically assigned ip address that my home adsl connection has given me!
Does that make anything clearer? Is this possible?
Then you need to make sure your VPN is configured to route traffice out of your network
ASKER
That is what i was hoping !
Any chance of some relevant command / config to perform this ? I am pretty green when it comes to networking ( my attached config should show you how i have this setup)!
Thanks for your patience!
Any chance of some relevant command / config to perform this ? I am pretty green when it comes to networking ( my attached config should show you how i have this setup)!
Thanks for your patience!
ASKER
Also if this can only be done with more than one pix, please let me know as i have another one to hand!!
Thanks
Thanks
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
eb