vpn works but no Internet access

[andytheautomator]

Ok this is probably going to be easy for everyone. I have 2 vpns set up. One is with 2 cisco 1751s and the other is with a 515e and a 506e. I need to get rid of the 1751s but when I do I lose internet access. I don't know if its NAT or something to do with IPSec rules, actually I don't have a clue.

Thanks in advance

 

[308win]

The pixes are on the internet, correct? (The VPN keeps working with the 1751's off?)

Are your routes/default gateways correct, do they point your PIX?

Is there an access list on the inside interface of the pix preventing access?

Does the access list that triggers traffic to the vpn tunnel only include traffic between the two sites?
(Looking at the counters on the sho access-list command might help you figure out if the access list is catching traffic that it shouldn't)

Have you set up PAT?
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Sho xlate will let you see if PAT is working
Shows you the inside address/source port (local) and what it was translated to on the outside interface
PAT Global x.y.251.2(38217) Local 192.168.84.137(1370)
PAT Global x.y.251.2(38697) Local 192.168.72.48(3287)
PAT Global x.y.251.2(37385) Local 192.168.35.39(2189)


Brian

 

[andytheautomator]

Thanks for the reply. Here are both pix configs. My goal is to take down the router vpn and replace it with a pix vpn. When I take down the router vpn and use only the pix vpn it works but I can't get outside of the vpn. So no internet. I need to force traffic that isn't headed for the remote site to go outside of the vpn. Thanks in advance for any help. I'm really stuck here.

Pix 515E

: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Di8MIxeg0Im0NwMp encrypted
passwd Di8MIxeg0Im0NwMp encrypted
hostname xxxx
domain-name xxxxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.25.20.0 XXXXX
access-list inside_outbound_nat0_acl permit ip 172.25.10.0 255.255.255.0 XXXXX 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.25.10.0 255.255.255.0 XXXXX 255.255.255.0
pager lines 24
logging on
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 000.000.000.000 255.255.255.248
ip address inside 172.25.10.194 255.255.255.0
ip verify reverse-path interface outside
ip audit name attack1 attack action drop
ip audit name Info1 info action alarm
ip audit interface outside Info1
ip audit interface outside attack1
ip audit info action alarm
ip audit attack action alarm
ip local pool RemoteUsers 172.25.10.76-172.25.10.99
pdm location 172.25.0.0 255.255.0.0 inside
pdm location XXXXXX 255.255.255.0 outside
pdm location 000.000.000.000 255.255.255.255 outside
pdm location 000.000.000.000 255.255.255.255 outside
pdm location 000.000.000.000 255.255.255.255 outside
pdm location 000.000.000.000 255.255.255.255 outside
pdm location 000.000.000.000 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 000.000.000.156-000.000.000.157 netmask 255.255.255.248
global (inside) 20 000.000.000.156-000.000.000.157
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 172.25.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 205.205.75.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 172.25.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 000.000.000.000
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 000.000.000.000 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 172.25.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username xxxxxxx password 2aWpWq1U5bawmA6W encrypted privilege 15
terminal width 80
Cryptochecksum:26b7710a9c11def2e5736f23a0e2f043
: end




Pix 506E

: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Di8MIxeg0Im0NwMp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname xxxx
domain-name xxxxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.25.10.0 XXXXXXXXX
access-list inside_outbound_nat0_acl permit ip 172.25.20.0 255.255.255.0 XXXXXXXXX 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.25.20.0 255.255.255.0 XXXXXXXXXX 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 000.000.000.000 255.255.255.248
ip address inside 172.25.20.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location XXXXXXXXXX 255.255.255.0 inside
pdm location XXXXXXXXXX 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.0 0.0.0.0 000.000.000.000 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 172.25.20.0 255.255.255.0 inside
http xxxxxxxxxx 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 000.000.000.000
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 000.000.000.000 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet xxxxxxxxxx 255.255.255.0 inside
telnet 172.25.20.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username xxxxxxx password 2aWpWq1U5bawmA6W encrypted privilege 15
terminal width 80
Cryptochecksum:3b55c74c9bdcdc85597061e386c585c1
: end

 

[themut]

Issue the following commands on the PIX 506:

nat (inside) 1 172.25.20.0 255.255.255.0
global (outside) 1 interface
clear xlate

 

[andytheautomator]

unfortunately that didn't work. I need to get the users that are behind the 515E onto the internet. Thanks anyways

 

[themut]

Are there any users able to go to the Internet? Or none can access the web? Go to a pc and find out its IP address then try to go to the Internet from this PC, access the PIX 515 and issue the following command &quot;show local-host <pc-ip-address>? and try to determine if it has a global translation. Your pool of global IP addresses may be running out, you can add a PAT address: global (outside) 10 interface.

 

[CTX]

Two thing that may help:
The crypto acl access-list outside_cryptomap_20 permit ip 172.25.10.0 255.255.255.0 XXXXX 255.255.255.0
I believe is telling all traffic (including WWW) to use the VPN tunnel. Try adding a deny statement for all

http://www before

the current permit all IP statement. This may kick the

http://www outside

of the tunnel. Also, I believe there is a split-tunnel command that does just that. Tells which traffic should encrypt thru the tunnel and which traffic will browse the

http://www Do

a search at the Cisco site for the split-tunnel info.
Good Luck

CTX

 

[andytheautomator]

Thanks for the help everybody. I didn't have enough info posted to solve the issue. I was using (for example)

outside address: 192.168.1.10
Default gateway: 192.168.1.1
PAT 172.25.16.5

Thanks for everybodys efforts. That's what makes this site great.