(No xlate) problem

[rbelt]

pix 501 with VPN set up (internal pool @ 192.168.222.1/24)

Every time I remotely connect to the network via the PIX (pptp), I loose internet access and start seeing these errors in the syslog...

2003-07-03 02:57:16 Local4.Error 10.10.10.1 Jul 03 2003 02:57:16: %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.222.1/1148 dst outside:63.xxx.yyy.zzz/53

What do I need to do to allow my remotely connected station to get out to the internet when attached to the PIX and also stop these (e.g. DNS) errors.

thanks much!

//RB

 

[rbelt]

Just wanted to ping this question again to see if anyone had an thought...

//RB

 

[ForumKid]

Im not a pix guru. BUt sounds like you need split tunnel enabled.
Something like this:
vpngroup vpncourts split-tunnel 100

 

[yizhar]

HI.

> BUt sounds like you need split tunnel enabled.
I agree.
But to use split-tunnel, you'll need to switch from the limitted PPTP connection to the Cisco VPN client - this requires reconfiguration of the pix, and obtaining + installing the software on client.



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[rbelt]

Thanks for the information --

I've got to say though, the more I work with PIX firewalls, the more I'm convinced that there are better products available. Yes, PIX has flexibility but for most clients (e.g. clients that are spending <$500 for a firewall) don’t need fancy stuff. I also understand that the cisco vpn client is good and much more secure than pptp but to force users to purchase this client to properly establish vpn into the box is ridiculous. I’ve got many other clients out there using many different solutions and they all can punch back out to the internet from their assigned vpn address...

I’m going to try the vpn client but it’s not a good solution here cause I’ve got client workstations/laptops in the field that change frequently and to have to buy a license to allow a short term connection is asinine! I may just have to punch gre and 1723 through and just use a windows box for this... which is a shame cause I like cisco gear for the most part. Anyhow, sorry to rant...

Thanks again for the pointer! You guys obviosuly know your PIX!

\\RB

 

[yizhar]

HI.

> but to force users to purchase this client to properly establish vpn into the box is ridiculous
I'm not sure about this - but as far as I know the VPN client is either free, or requires a one time purchase of about 50 bucks (for unlimitted number of remote clients), so anyway the purchase is not the issue here.

> I may just have to punch gre and 1723 through and just use a windows box for this... which is a shame
It is not a shame - if you're going to use PPTP, it will work better with MS RRAS as the VPN server instead of the pix.
(But I still recommend using Cisco IPSec VPN + XAUTH).



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[wjonline1]

i was trying to setup edonkey through my pix with PAT and was getting the same problem.

I did my static maps and my access list.
but was getting the (no xlate) message

I then checked the inbound access list and saw that I had source ports set to a specific port. changed it to any >1023 and bingo.

so I suggest you check your access lists