Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
VPN works, but can't ping internal hosts
- Thread starter khilari
- Start date
Khilari-
problem might be with an access-list or two. Can you provide us with your access-list?
Here is an example
access-list nonat permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0 (access-list that allows traffic to flow between inside IP's to your IP pool)
nat (inside) 0 access-list nonat (tells PIX not to NAT access-list nonat)
This is just an example, have tosee how you have your PIX configured.
Frank
problem might be with an access-list or two. Can you provide us with your access-list?
Here is an example
access-list nonat permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0 (access-list that allows traffic to flow between inside IP's to your IP pool)
nat (inside) 0 access-list nonat (tells PIX not to NAT access-list nonat)
This is just an example, have tosee how you have your PIX configured.
Frank
- Thread starter
- #3
- Thread starter
- #4
here is the firewall config
Hi,
Are you connecting via the vpn client from behind another nat device ? If so, try adding 'isakmp nat-t' to your 520 config. This will allow nat traversal, something the pix sometimes struggles with when dealing with a natt'd address. Also, what version of code are you running ?
Regards Colin.
Are you connecting via the vpn client from behind another nat device ? If so, try adding 'isakmp nat-t' to your 520 config. This will allow nat traversal, something the pix sometimes struggles with when dealing with a natt'd address. Also, what version of code are you running ?
Regards Colin.
- Thread starter
- #6
- Thread starter
- #7
The version is 6.2(2)
I was also researching and found out about the
isakmp nat-traversal
The client i am using is also behind a pat device. I haven’t tried the connection through any public ip address. I am guessing that would work... You guys are right i guess, the natting/patting at both ends is a problem.
I was also researching and found out about the
isakmp nat-traversal
The client i am using is also behind a pat device. I haven’t tried the connection through any public ip address. I am guessing that would work... You guys are right i guess, the natting/patting at both ends is a problem.
Khilari-
What are these access-lists for?
access-list split-tunnel permit ip 192.168.200.0 255.255.255.0 any
access-list split-tunnel permit ip 192.168.0.0 255.255.255.0 any
Looks a s if you are trying to do split-tunneling, if that is the case try this command instead
access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
then add the following commands..
vpngroup vpnwoodridge split-tunnel 103
vpngroup vpnwoodridge split-dns (your domain-name)
Frank
What are these access-lists for?
access-list split-tunnel permit ip 192.168.200.0 255.255.255.0 any
access-list split-tunnel permit ip 192.168.0.0 255.255.255.0 any
Looks a s if you are trying to do split-tunneling, if that is the case try this command instead
access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
then add the following commands..
vpngroup vpnwoodridge split-tunnel 103
vpngroup vpnwoodridge split-dns (your domain-name)
Frank
- Thread starter
- #9
- Status
Similar threads
- Locked
- Question
- Locked
- Question