Cisco VPN client from inside a PIX 515e - connected but cant browse

[zainudin]

dear all, i am very very newbie to pix as well as vpn. so i need some help here if someone have time to help..

i am working in a college(branch) and the main campus give me an ip address, set of username and password, and a cisco vpn client 4.8. the purpose of connection is to access a web-base report (offline/intranet i guess).

i install the vpn client to a computer in my network (which is inside a PIX 515E), connect to the given IP with a username and password and it successful(no error). but the problem is, i cant access the web-base report.cannot browse other website also. i further test by connecting directly on router and its connected + able to browse the report and website. so, there must be some blocking on the PIX which i need to unblock. i can access the PIX but still learning the way of configuring it.

i've been reading alot on the problem and now it puzzle me very badly..please let me know what info are needed for you guys to help me. i am very newbie..

ty for the time and efford on helping my problem.

 

[unclerico]

can you post your scrubbed config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[zainudin]

fw2# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password q.HdFryHGUaI0F4h encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname fw2
domain-name mmmc
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit ip any any
access-list outside_access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside A.B.C.195 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 A.B.C.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:429dd4e4cd46d60ba4f1800d161f0e03
: end
fw2#
------------------------------------------------------
this is a config on a backup pix515e i am using to try the vpn. on this settings, the vpn from inside can connect to the outside perfectly fine with the username and password they provide. but cannot browse. i'll try to explain a little that i know of the connection. here is ip config info after connected within firewall:

-------------------------------------------------------
Windows IP Configuration

Host Name . . . . . . . . . . . . : backup-pc
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Cont
roller
Physical Address. . . . . . . . . : 00-02-E3-4A-F7-0C
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 202.188.0.133
202.188.1.5

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.18.2
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 10.10.18.1
DNS Servers . . . . . . . . . . . : 172.16.210.1

C:\Documents and Settings\User>
-----------------------------------------------------------


this one is ipconfig info on direct-to-router configuration
and can browse the report..its look the same to me..i am so newbie here..hmm.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : backup-pc
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Cont
roller
Physical Address. . . . . . . . . : 00-02-E3-4A-F7-0C
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : A.B.C.195
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 202.188.0.133
202.188.1.5

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.18.2
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 10.10.18.1
DNS Servers . . . . . . . . . . . : 172.16.210.1

C:\Documents and Settings\User>

 

[unclerico]

It looks like it could be a NAT traversal issue. Ask the admin in your main campus to see if they have enabled isakmp nat-traversal

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[North323]

could also be that there is no default gateway on your LAN?

 

[zainudin]

thanks for the reply.

what puzzle me is that how come i can connect fine if i use direct connection to my router, but when inside pix, i cant connect. i can connect well also with other public IP..i test at my home.

i think that my problem is only to allow cisco vpn client to get thru my PIX and connect, similar like i am connecting directly. not setting up vpn from my pix to pix at main campus. but i am sure that i allow any ip, any service/port already with my test pix but still cant browse the report after connected.

is there anything else i must configure at pix to allow all traffic thru it making it like no firewall at all? i want to test that..

as for the gateway, before connecting, i did put the gateway (the pix's inside ip) but its gone when got connected. same as when i am connected directly (gateway=router's fa0/0 ip) but its gone after connected. but i think it suppose to be that way since i can browse fine when connected directly (with no gateway also).

please help if you guys been in this problem before or kindly share with me any other possible problem/solution, i will try all since i got extra pix to test on.

thanks.

 

[unclerico]

what puzzle me is that how come i can connect fine if i use direct connection to my router, but when inside pix, i cant connect. i can connect well also with other public IP..i test at my home.

If you're behind a device performing NAT (ie your PIX) then the tunnel destination needs to allow for nat traversal in their config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[zainudin]

i see, i'll ask that ASAP..thanks for giving some lead on my problem.