Access internet through VPN on PIX 515

[oshill]

I have it set up so that my XP PC at home access the VPN at work through the PIX 515 with Ver. 6.3(3) loaded. I used the VPN Wizard in PDM. The problem I have is that there are a few sites that we access that we need to be in our network at work to get to. I can do everything at home but access the internet. If I tell it to not use remote gateway the internet comes back but I need to go through the gateway at work for access.

Anyone have any advice?

 

[ChicagoTechNet]

you need to create split-tunnel on Cisco PIX. quoted from

http://www.chicagotech.net/

How to setup split-tunnel on Cisco PIX

To setup VPN for Cisco VPN clients on Cisco PIX, you add the following lines:
access-list split permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
ip local pool bigpool 192.168.1.1-192.168.1.254
vpngroup vpn3000 address-pool bigpool
vpngroup vpn3000 dns-server yourdns
vpngroup vpn3000 wins-server yourwins
vpngroup vpn3000 default-domain cisco.com
vpngroup vpn3000 split-tunnel split
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********


Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www.ChicagoTech.net

 

[oshill]

The PIX will not let me addthose commands because of other commands in the PIX. I need to be able to set up W2K to VPN into our net with out using Cisco System VPN Client. Can this be done and let the W2K PC use the company's internet?

As it is right now everything but the internet works from the remote location.

Here is my current config:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2Qc0jqIOMlk.A6uf encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name oshill.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 150 permit icmp any host *.*.*.* echo-reply
access-list 150 permit icmp any host *.*.*.* source-quench
access-list 150 permit icmp any host *.*.*.* unreachable
access-list 150 permit icmp any host *.*.*.* time-exceeded
access-list 150 permit tcp host *.*.*.* host *.*.*.* eq ftp
access-list 150 permit tcp host *.*.*.* host *.*.*.* eq telnet
access-list 150 permit tcp host *.*.*.* host *.*.*.* eq ftp
access-list 150 permit tcp host *.*.*.* host *.*.*.* eq telnet
access-list 150 permit tcp host *.*.*.* host *.*.*.* eq ftp
access-list 150 permit tcp host *.*.*.* host *.*.*.* eq telnet
access-list 101 permit ip 10.16.21.0 255.255.255.0 *.*.*.* 255.255.0.0
access-list 101 permit ip 10.16.20.0 255.255.255.0 *.*.*.* 255.255.0.0
access-list 101 permit ip 10.16.19.0 255.255.255.0 *.*.*.* 255.255.0.0
access-list 101 permit ip 10.16.67.0 255.255.255.0 *.*.*.* 255.255.0.0
access-list inside_access_in permit ip any any
access-list nonat permit ip 10.16.21.0 255.255.255.0 *.*.*.* 255.255.0.0
access-list nonat permit ip 10.16.20.0 255.255.255.0 *.*.*.* 255.255.0.0
access-list nonat permit ip 10.16.19.0 255.255.255.0 *.*.*.* 255.255.0.0
access-list nonat permit ip 10.16.67.0 255.255.255.0 *.*.*.* 255.255.0.0
access-list nonat permit ip any 10.16.21.96 255.255.255.248
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.* 255.255.255.224
ip address inside 10.16.21.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 10.16.21.99-10.16.21.102
pdm location *.*.*.* 255.255.0.0 outside
pdm location 10.16.19.0 255.255.255.0 inside
pdm location 10.16.20.0 255.255.255.0 inside
pdm location 10.16.21.3 255.255.255.255 inside
pdm location 10.16.21.66 255.255.255.255 inside
pdm location 10.16.21.71 255.255.255.255 inside
pdm location 10.16.21.84 255.255.255.255 inside
pdm location 10.16.67.10 255.255.255.255 inside
pdm location 10.16.67.0 255.255.255.0 inside
pdm location *.*.*.* 255.255.255.255 outside
pdm location *.*.*.* 255.255.255.255 outside
pdm location *.*.*.* 255.255.255.255 outside
pdm location *.*.*.* 255.255.255.0 outside
pdm location 10.16.21.96 255.255.255.248 outside
pdm logging debugging 500
pdm history enable
arp timeout 14400
global (outside) 1 *.*.*.*
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) *.*.*.* 10.16.21.3 netmask 255.255.255.255 0 0
access-group 150 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inside 10.16.19.0 255.255.255.0 10.16.21.1 1
route inside 10.16.20.0 255.255.255.0 10.16.21.1 1
route inside 10.16.67.0 255.255.255.0 10.16.21.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http *.*.*.* 255.255.255.0 outside
http 10.16.21.84 255.255.255.255 inside
http 10.16.21.71 255.255.255.255 inside
http 10.16.21.66 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.16.21.66 c:\TFTP-Root
floodguard enable
crypto ipsec transform-set OEM esp-3des esp-sha-hmac
crypto map international 1 ipsec-isakmp
crypto map international 1 match address 101
crypto map international 1 set peer *.*.*.*
crypto map international 1 set transform-set OEM
crypto map international interface outside
isakmp key ******** address *.*.*.* netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 28800
telnet 10.16.21.84 255.255.255.255 inside
telnet 10.16.67.10 255.255.255.255 inside
telnet 10.16.21.66 255.255.255.255 inside
telnet timeout 5
ssh timeout 60
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 required
vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool
vpdn group PPTP-VPDN-GROUP client configuration dns *.*.*.* *.*.*.*vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username chris password ********
vpdn enable outside
terminal width 80
Cryptochecksum:8401d6587a5462bf45d88d7af758e1fa

 

[littlejohnny]

I have the same problem, telnet,icmp work fine but no ipsec.

oshill--are opening too much up? Just a thought.

jb

 

[themut]

Click on the link below it is an excellent guideline configuring the PIX for remote VPN access:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml