Site to Site VPN UP - Cannot access Internet

Posted on 2009-07-14
Last Modified: 2012-05-07
Greetings -
I have a Site to Site VPN connection currently up between a remote Cisco Pix 506E and a Cisco 2811.
The VPN works great, however, I cannot access the internet from remote PC's behind the Cisco PIX.
The PIX is on a 3rd party's VLAN and they have assigned us a public IP address which I am using as the outside interface on the PIX which is also the VPN peer for the 2811. The default gateway is

I can ping internet IP addresses from the CMD line on the PIX (yahoo, google) successfully.

Here is the config on the PIX.
Addresses have been changed and I have cut telnet and ssh lines, those work fine.

All help is appreciated

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname AgilityPIX


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->

access-list INT-TRAFFIC permit ip

access-list INTERNET permit ip any

access-list INTERNETOUT permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list INT-TRAFFIC

access-group INTERNETOUT in interface outside

access-group INTERNET in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

<--- More --->
aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community N0n3*

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto map VPN 2 ipsec-isakmp

crypto map VPN 2 match address INT-TRAFFIC

crypto map VPN 2 set peer xxx

crypto map VPN 2 set transform-set ESP-AES128-SHA

crypto map VPN interface outside

isakmp enable outside

isakmp key XXXX address XXX netmask

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption aes

isakmp policy 2 hash sha

isakmp policy 2 group 2

<--- More --->
isakmp policy 2 lifetime 86400

console timeout 0

terminal width 80


: end

Question by:prsbyrd
LVL 33

Accepted Solution

MikeKane earned 500 total points
ID: 24853547
When internal users want to get out to the internet from behind the PIX, it looks like you have them nonating:

access-list INT-TRAFFIC permit ip
nat (inside) 0 access-list INT-TRAFFIC

This will allow all traffic from inside to go only on the outside without translation

From the looks of it, all you are missing is a global command for NAT/PAT and the NAT command itself.  Something like

global (outside) 1 interface
nat (inside) 1


Author Closing Comment

ID: 31603421
Thank you! This works perfectly!

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now