Strange problem with Pix and vpn

[cbeazley]

I seem to have acl problems with my pix. I have a vpn tunnel from pix to at 2600 router which works fine but my network behind the pix can't surf the internet. The problem is I need to set a nat rule to proxy all internal addresses though the external interface but due to my vpn it won't allow it. When I tried setting up an alternate valide ip to proxy through it just killed my vpn.

Anyone have any ideas ?

 

[iiiiss]

Did you try the split-tunnel command ???

 

[cbeazley]

Split-tunnel ??

Uh no. Never tried this. Will this kill my existing tunnel. The tricky thing is that this pix is in a remote site so if it goes down I'm off in a taxi.

I'll research this split-tunnel command.

Thanks for the info.

 

[yizhar]

HI.

You probably need to redefine the "nat 0 access-list" related statements.

> if it goes down I'm off in a taxi.
When playing with VPN configuration, there is a high chance of getting kicked out while in progress.
So-
PlanA: take the taxi in advance and visit the remote site.
PlanB: Don't save the configuration while you modify it, and make sure that someone at the remote site is able to reboot the pix for you if you loose it.

Here are some options for you:
* Post your current config and more details here.
* Compare your configuration to some sample configurations from Cisco web site:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

http://www.cisco.com/warp/public/110/39.html

http://www.cisco.com/warp/public/471/top_issues/vpn/pixvpn_index.shtml

* Use pixcript (from my site), to generate a sample VPN config. Compare the generated config to yours and manualy adjust your configuration as needed (but do not copy & paste the generated config as you might loose control).

http://teachers.sivan.co.il/yizhar#pixcript

The split-tunnel option is for remote access VPN (client to pix), and not for site to site (pix to router) VPN.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar