Can't access Internet over VPN tunnel 1

[ClimbingColorado]

Hello,

I have a Cisco Pix 501 at home configured for VPN access. Using the Cisco VPN client software, I can connect to my home network and access resources behind my Pix. However, I can't reach the Internet from my VPN client. Looking at my Pix logs, I see the following error messages:

Dec 31 16:23:54 192.168.1.1 Dec 31 2010 16:24:04: %PIX-6-110001: No route to 8.8.4.4 from 172.16.0.1
Dec 31 16:24:07 192.168.1.1 Dec 31 2010 16:24:16: %PIX-6-110001: No route to 8.8.8.8 from 172.16.0.1

The 172.16.0.1 is my VPN client and the 8.8.8.8 and 8.8.4.4 are Google DNS servers.

Systems on my home network are able to access the Internet (That's how I'm posting this question).

This VPN configuration was created using the PDM VPN Wizard GUI. Any thoughts on how to fix this?

Thanks,

Rob

Pix 501
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

VPN Client
Windows 7 32bit
Cisco VPN Client SW Version 5.0.07.0290-k9

 

[intelwizrd]

Configure your VPN settings to allow split-tunnel and only tunnel traffic to hosts behind the firewall. all other traffic will just go to the internet as if you were not connected. Other option is to set up a proxy behind your firewall and use it while connected.

I don't think that PIX version supports hairpining which is what you need to tunnel all traffic and still be able to access the internet without either of those options.

 

[ClimbingColorado]

Hello Intelwizard,

When I configure split-tunnel, I can surf the Internet locally and still access my home LAN. That's not what I'm trying to do though. When I travel overseas, some Internet content is blocked because of where I'm located (for reasons similar to the DVD zone concept). If I can send all of my internet traffic to my house in the US, I should be able to access all of the same content I would from home. This could also be useful for privacy reasons when surfing over public Internet connections like hotels and coffee shops.

How could I verify if this capability is supported?

Thanks,

Rob

 

[intelwizrd]

As far as I am aware, that version of code (6.x) on a PIX will not support hairpining, it isn't supported until version 7.x. Also, I don't think 7.x will run on a 501 box. Your best bet is to set up a proxy on a machine behind your firewall, or replace the unit with an ASA or PIX that runs 7.x or later.

 

[ClimbingColorado]

Hello Intelwizard,

So, if it's not supported over remote VPN do you know if it would work in a site-to-site configuration? I purchased a second Pix 501 about a month ago. Unfortunately, I only have the one internet connection at home so I havn't tested the site-to-site config. Adding my second Pix to someone else's Internet connection could be problematic...

Thanks,

Rob

 

[intelwizrd]

The problem is not isolated to just a remote access configuration. It is an inability to allow traffic back out the same interface it just came through. If you had two external interfaces, you could VPN into one and go out to the internet on the other. this would require two IPs from your ISP though. any scenario where the VPN connection terminated behind the firewall or where your packets were terminating behind the firewall (on a proxy server) would allow you to access the internet without split-tunnel. The site-to-site over the same link as your ISP connection will most likely yield the same results.

Look at some proxy software you could set up on your Windows 7 box, I know there are quite a few good and free options for a linux box.

 

[xdeq]

Hello ClimbingColorado,
I think tonight I was trying to do exactly same thing.
Use PIX to sent all traffic from VPN client through external interface and using NAT.
I had problems and found this post.
I also have second PIX and also no luck.

Sounds like intelwizrd might be right about "hairpinning vpn"

I remember some examples where VPN tunnel was teminated on inside interface. Can that help ?

In the past I had LINUX begind PIX. I was tunneling VNC.
like in this example.

http://nodivisions.com/tech/vnc/

Let me know if you have found the way,
regards.

 

[ClimbingColorado]

Hello,

The Pix is really old. From all the research I've done, the Pix does not support "hairpinning". You need the newer ASA 5505 to get that feature (~$250 on eBay). I bought my Pix 501 for $20 on eBay so I'm not complaining.

I've had several people recommend using my Linksys WRT54G (running DD-WRT) or Astaro as my VPN/Firewall device. I haven't tried either for this purpose though.

The way I've heard of people getting around this issue with the Pix is forwarding the VPN and terminating it someplace else, like on a Cisco router.

I hope that helps,

Rob

 

[joaott]

I have a PIX 515E in a customer(Hotel) with VPN users(wich i use)+ 2 lan2lan connections (fixed public ip's)+ 1 lan2lan (dynamic ip-3Gpen connect to a Vigor 2700) and i had the same issue.

But its possible to do this in this model typing this CLI cmd:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

in 501 i don´t know...