Site to Site VPN UP - Cannot access Internet

Posted on 2009-07-14
Last Modified: 2012-05-07
Greetings -
I have a Site to Site VPN connection currently up between a remote Cisco Pix 506E and a Cisco 2811.
The VPN works great, however, I cannot access the internet from remote PC's behind the Cisco PIX.
The PIX is on a 3rd party's VLAN and they have assigned us a public IP address which I am using as the outside interface on the PIX which is also the VPN peer for the 2811. The default gateway is

I can ping internet IP addresses from the CMD line on the PIX (yahoo, google) successfully.

Here is the config on the PIX.
Addresses have been changed and I have cut telnet and ssh lines, those work fine.

All help is appreciated

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname AgilityPIX


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->

access-list INT-TRAFFIC permit ip

access-list INTERNET permit ip any

access-list INTERNETOUT permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list INT-TRAFFIC

access-group INTERNETOUT in interface outside

access-group INTERNET in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

<--- More --->
aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community N0n3*

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto map VPN 2 ipsec-isakmp

crypto map VPN 2 match address INT-TRAFFIC

crypto map VPN 2 set peer xxx

crypto map VPN 2 set transform-set ESP-AES128-SHA

crypto map VPN interface outside

isakmp enable outside

isakmp key XXXX address XXX netmask

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption aes

isakmp policy 2 hash sha

isakmp policy 2 group 2

<--- More --->
isakmp policy 2 lifetime 86400

console timeout 0

terminal width 80


: end

Question by:prsbyrd
LVL 33

Accepted Solution

MikeKane earned 500 total points
ID: 24853547
When internal users want to get out to the internet from behind the PIX, it looks like you have them nonating:

access-list INT-TRAFFIC permit ip
nat (inside) 0 access-list INT-TRAFFIC

This will allow all traffic from inside to go only on the outside without translation

From the looks of it, all you are missing is a global command for NAT/PAT and the NAT command itself.  Something like

global (outside) 1 interface
nat (inside) 1


Author Closing Comment

ID: 31603421
Thank you! This works perfectly!

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now