Site to Site VPN UP - Cannot access Internet

Greetings -
I have a Site to Site VPN connection currently up between a remote Cisco Pix 506E and a Cisco 2811.
The VPN works great, however, I cannot access the internet from remote PC's behind the Cisco PIX.
The PIX is on a 3rd party's VLAN and they have assigned us a public IP address which I am using as the outside interface on the PIX which is also the VPN peer for the 2811. The default gateway is

I can ping internet IP addresses from the CMD line on the PIX (yahoo, google) successfully.

Here is the config on the PIX.
Addresses have been changed and I have cut telnet and ssh lines, those work fine.

All help is appreciated

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname AgilityPIX


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->

access-list INT-TRAFFIC permit ip

access-list INTERNET permit ip any

access-list INTERNETOUT permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list INT-TRAFFIC

access-group INTERNETOUT in interface outside

access-group INTERNET in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

<--- More --->
aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community N0n3*

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto map VPN 2 ipsec-isakmp

crypto map VPN 2 match address INT-TRAFFIC

crypto map VPN 2 set peer xxx

crypto map VPN 2 set transform-set ESP-AES128-SHA

crypto map VPN interface outside

isakmp enable outside

isakmp key XXXX address XXX netmask

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption aes

isakmp policy 2 hash sha

isakmp policy 2 group 2

<--- More --->
isakmp policy 2 lifetime 86400

console timeout 0

terminal width 80


: end

Who is Participating?
MikeKaneConnect With a Mentor Commented:
When internal users want to get out to the internet from behind the PIX, it looks like you have them nonating:

access-list INT-TRAFFIC permit ip
nat (inside) 0 access-list INT-TRAFFIC

This will allow all traffic from inside to go only on the outside without translation

From the looks of it, all you are missing is a global command for NAT/PAT and the NAT command itself.  Something like

global (outside) 1 interface
nat (inside) 1

prsbyrdAuthor Commented:
Thank you! This works perfectly!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.