VPN Connection is working but I can't get to anything on network?

skhoury · Oct 17, 2006

Hello all - I am at wits end with this problem.

Last night i configured a PIX 515 running 6.3.4 for remote access VPN along with integration with IAS for user authentication against Active Directory...

The VPN connection works - i.e., I can connect and authenticate.

However, I can't get access to anything on the network or the internet.

I've tried enabling split-tunneling, but it doesn't work.

Can you folks look at my config to see what I've missed?

Please note, the address range I've assigned to vpn clients is 192.168.49.x

Thanks for any help in advance,

Sam

access-list from-outside-coming-in permit icmp any any time-exceeded
access-list from-outside-coming-in permit icmp any any unreachable
access-list from-outside-coming-in permit tcp any host EXT_SMTP_HOST eq smtp
access-list from-outside-coming-in permit tcp any host EXT_WEBMAIL_HOST eq www
access-list from-outside-coming-in permit tcp any host EXT_WEBMAIL_HOST eq https
access-list from-outside-coming-in permit tcp host EXT_WEB_HOST host EXT_DB_HOST eq 1433
access-list from-outside-coming-in deny ip any any

access-list nbc-in permit ip any any
access-list nbc-in permit icmp any any

access-list no-nat permit ip 192.168.48.0 255.255.255.0 199.x.x.0 255.255.255.0
access-list no-nat permit ip 192.168.48.0 255.255.255.0 137.x.x.0 255.255.255.0
access-list no-nat permit ip 192.168.48.0 255.255.255.0 host 192.168.x.x
access-list no-nat permit ip 192.168.48.0 255.255.255.0 192.168.x.x 255.255.255.252
access-list no-nat permit ip 192.168.48.0 255.255.255.0 192.168.50.0 255.255.255.252
access-list no-nat permit ip 192.168.48.0 255.255.255.0 199.x.x.0 255.255.255.0
access-list no-nat permit ip 192.168.48.0 255.255.255.0 199.x.x.0 255.255.255.0
access-list no-nat permit ip any 192.168.49.0 255.255.255.0
access-list no-nat permit ip 192.168.48.0 255.255.255.0 192.168.49.0 255.255.255.0
access-list split_tunnel_for_vpn permit ip 192.168.48.0 255.255.255.0 192.168.49.0 255.255.255.0

ip local pool VPN_POOL 192.168.49.2-192.168.49.200

nat (inside) 0 access-list no-nat
nat (inside) 1 192.168.48.0 255.255.255.0 0 0
nat (dmz_lan) 1 0.0.0.0 0.0.0.0 0 0

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 192.168.48.1 ****** timeout 5

sysopt connection permit-ipsec
crypto ipsec transform-set VPN_SET esp-aes-256 esp-sha-hmac
crypto dynamic-map VPN_DYNMAP 20 set transform-set VPN_SET
crypto map VPNMAP 20 ipsec-isakmp dynamic VPN_DYNMAP
crypto map VPNMAP client authentication partnerauth
crypto map VPNMAP interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup GROUP_VPN address-pool VPN_POOL
vpngroup GROUP_VPN dns-server 192.168.48.1
vpngroup GROUP_VPN default-domain ******.com
vpngroup GROUP_VPN split-tunnel no-nat
vpngroup GROUP_VPN idle-time 1800
vpngroup GROUP_VPN password ********

boymarty24 · Oct 17, 2006

i dont know where you are connecting from and to but i think
this is a nat traversal issue. This is not enabled by default in the pix.

Add the following and try

isakmp nat-traversal 20

//Marty

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

VPN Connection is working but I can't get to anything on network?

skhoury

IS-IT--Management

boymarty24

Technical User

Similar threads

Part and Inventory Search

Sponsor