Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Site to Site VPN UP - Cannot access Internet

Posted on 2009-07-14
Medium Priority
Last Modified: 2012-05-07
Greetings -
I have a Site to Site VPN connection currently up between a remote Cisco Pix 506E and a Cisco 2811.
The VPN works great, however, I cannot access the internet from remote PC's behind the Cisco PIX.
The PIX is on a 3rd party's VLAN and they have assigned us a public IP address which I am using as the outside interface on the PIX which is also the VPN peer for the 2811. The default gateway is

I can ping internet IP addresses from the CMD line on the PIX (yahoo, google) successfully.

Here is the config on the PIX.
Addresses have been changed and I have cut telnet and ssh lines, those work fine.

All help is appreciated

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname AgilityPIX

domain-name eccu.net

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->

access-list INT-TRAFFIC permit ip

access-list INTERNET permit ip any

access-list INTERNETOUT permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list INT-TRAFFIC

access-group INTERNETOUT in interface outside

access-group INTERNET in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

<--- More --->
aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community N0n3*

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto map VPN 2 ipsec-isakmp

crypto map VPN 2 match address INT-TRAFFIC

crypto map VPN 2 set peer xxx

crypto map VPN 2 set transform-set ESP-AES128-SHA

crypto map VPN interface outside

isakmp enable outside

isakmp key XXXX address XXX netmask

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption aes

isakmp policy 2 hash sha

isakmp policy 2 group 2

<--- More --->
isakmp policy 2 lifetime 86400

console timeout 0

terminal width 80


: end

Question by:prsbyrd
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 33

Accepted Solution

MikeKane earned 2000 total points
ID: 24853547
When internal users want to get out to the internet from behind the PIX, it looks like you have them nonating:

access-list INT-TRAFFIC permit ip
nat (inside) 0 access-list INT-TRAFFIC

This will allow all traffic from inside to go only on the outside without translation

From the looks of it, all you are missing is a global command for NAT/PAT and the NAT command itself.  Something like

global (outside) 1 interface
nat (inside) 1


Author Closing Comment

ID: 31603421
Thank you! This works perfectly!

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question