Site to Site VPN UP - Cannot access Internet

Posted on 2009-07-14
Last Modified: 2012-05-07
Greetings -
I have a Site to Site VPN connection currently up between a remote Cisco Pix 506E and a Cisco 2811.
The VPN works great, however, I cannot access the internet from remote PC's behind the Cisco PIX.
The PIX is on a 3rd party's VLAN and they have assigned us a public IP address which I am using as the outside interface on the PIX which is also the VPN peer for the 2811. The default gateway is

I can ping internet IP addresses from the CMD line on the PIX (yahoo, google) successfully.

Here is the config on the PIX.
Addresses have been changed and I have cut telnet and ssh lines, those work fine.

All help is appreciated

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname AgilityPIX


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->

access-list INT-TRAFFIC permit ip

access-list INTERNET permit ip any

access-list INTERNETOUT permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list INT-TRAFFIC

access-group INTERNETOUT in interface outside

access-group INTERNET in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

<--- More --->
aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community N0n3*

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto map VPN 2 ipsec-isakmp

crypto map VPN 2 match address INT-TRAFFIC

crypto map VPN 2 set peer xxx

crypto map VPN 2 set transform-set ESP-AES128-SHA

crypto map VPN interface outside

isakmp enable outside

isakmp key XXXX address XXX netmask

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption aes

isakmp policy 2 hash sha

isakmp policy 2 group 2

<--- More --->
isakmp policy 2 lifetime 86400

console timeout 0

terminal width 80


: end

Question by:prsbyrd
LVL 33

Accepted Solution

MikeKane earned 500 total points
ID: 24853547
When internal users want to get out to the internet from behind the PIX, it looks like you have them nonating:

access-list INT-TRAFFIC permit ip
nat (inside) 0 access-list INT-TRAFFIC

This will allow all traffic from inside to go only on the outside without translation

From the looks of it, all you are missing is a global command for NAT/PAT and the NAT command itself.  Something like

global (outside) 1 interface
nat (inside) 1


Author Closing Comment

ID: 31603421
Thank you! This works perfectly!

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question