internet acces for "external" lan? 1

[leploep]

I have someone on an "external" lan (128.30.6.2) coming in via a router (192.168.0.80).
He wants acces to the internet through our Gateway (192.168.0.1) and also acces some servers in our lan here.

Well the acces to the servers in our lan works fine if i add a permanent route on the servers to be accessed.
"route add 128.30.60.2 255.255.255.255 192.168.0.80 -p"

I tried the same for his internet acces on our Gateway.(CISCO PIX 515)
On the PIX I added the line:
"route inside 128.30.6.2 255.255.255.255 192.168.0.80 1"


So now he can ping the PIX from his machine but still no internet.

I hope someone will have an idea what i am trying to explain here.

If you do, and have the solution I would be very thankfull.

Thanks in advance for your time.

 

[computerhighguy]

After quickly looking at your issue you need to disable split tunneling. This will force the client to use your gateway for Internet access instead of his own. It is also more secure, but it does require more bandwidth. Also, all Internet surfing will be subject to your firewall's rules. So if you block AIM, then we will not be able to use AIM while VPN'd to your network. I bleice split tunneling it controlled in your vpngroup statements. Check documentation for more details.

 

[themut]

You need a translation on the PIX. Add the following lines:

nat (inside) 9 128.30.6.2 255.255.255.255
global (outside) 9 interface

the default gateway on 128.30.6.2 has to be pointing to the router on his side. The default route on the router has to be pointing to the PIX.

 

[oshill]

themut,

I am having the same problem. I am using Cisco VPN client 4.0.3 to a PIX 515. Everything works fine but the Internet. I cannot stop the remote site from using its gateway. I need to force it to use our gateway. I tried both of the suggestions in this thread and they did not work.

Here is what I have for settings for this VPN Access

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5


isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
vpngroup OSHill address-pool IP_Pool
vpngroup OSHill dns-server 167.6.247.35 167.6.236.33
vpngroup OSHill split-tunnel outside_cryptomap_dyn_20
vpngroup OSHill idle-time 1800
vpngroup OSHill password **************

I also have a VPN set up to international that I can not change their settings are:

crypto ipsec transform-set OEM esp-3des esp-sha-hmac
crypto map international 1 ipsec-isakmp
crypto map international 1 match address 101
crypto map international 1 set peer *.*.*.*
crypto map international 1 set transform-set OEM
crypto map international 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map international interface outside
isakmp enable outside
isakmp key ******** address *.*.*.* netmask 255.255.255.255
isakmp keepalive 200 5
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 28800


Any suggestions as to what is not letting the remote to OSHill not access our Internet?

 

[themut]

With a VPN connection to the PIX you will not be able to send Internet traffic through the tunnel since the PIX is not able to route packets back on the same interface they arrived. A work around would be to use a proxy server behind the PIX and proxy the VPN users to the Internet. Another option is to end the tunnel at either a router or VPN concentrator instead of the PIX.

 

[themut]

Leploep correct me if I am wrong but I think you are not using a VPN connection...

 

[leploep]

Yes Themut you are absolutely right. I'm not using a VPN.
That's why i called it an external LAN. I don't know the right word for it. If there is one...

But the router that is connecting the external LAN to ours is not managed by me, and the guy doesnt want to change the default route to our PIX. Go figure....

Any way thanx a lot for your insight....