PIX VPN setup

[hmcgillem]

I have configured our CISCO PIX for VPN connection. Users can connect through the VPN client and access network resources; however, they do not have internet access. Any suggestions on what I need to add to the PIX configuration to allow internet access? I have the VPN Client configured to use tunneling IPSec over UDP.

Thanks.
Heather

 

[NetworkGhost]

Are the Users using Cisco VPN client or Windows Client?

 

[lgarner]

You need to enable split-tunneling. It directes which traffic is to be tunneled via VPN and which isn't. Something like this:

access-list SplitTunnel permit ip <inside net> <mask> <vpn client pool> <mask>
vpngroup MyVPNGroup split-tunnel SplitTunnel

 

[hmcgillem]

I am using Cisco VPN Client 4.6.

 

[hmcgillem]

I thought split-tunneling was automatically set up when you set up VPN? Is this wrong?

 

[LloydSev]

No, split tunneling is disabled by default on the PIX on new VPN configs.

Computer/Network Technician
CCNA

 

[hmcgillem]

I swear I read somewhere that split tunneling was enabled by default. Anyway, I went in and enabled it through the Client VPN settings. I'll try that and see if it works.

Thanks!

 

[hmcgillem]

Split tunneling didn't fix the problem. Any other suggestions?

 

[LloydSev]

Split tunneling didn't fix the problem. Any other suggestions?

did you use the access-list and everything that lgarner showed you?

Computer/Network Technician
CCNA

 

[hmcgillem]

Yes, I believe all of that is set up correctly. Do I need to add an ACL for TCP?

 

[LloydSev]

no, IP covers tcp and udp.

Computer/Network Technician
CCNA

 

[hmcgillem]

Well, I don't know what I need to do then. I'll go and look at the configuration again and see if I can find something.

 

[LloydSev]

ok.. so let's just recap what you are trying to do...


Your system
|
|
|
|
VPN Network


Now we see you have a VPN Tunnel between you and your work, are you trying to access the internet from your home machine, or are you trying to connect to the internet using the VPN Tunnel through a remote administration utility?

Computer/Network Technician
CCNA

 

[hmcgillem]

Here's what I have:

Internal LAN
|
|
|
|
CISCO PIX (VPN access)
|
|
|
|
Home Computer

The Home computer uses Cisco VPN Client 4.6 to gain access to the internal LAN. They can access internal LAN resources such as mapped drives and printers, but they can't get back out for internet access or e-mail while connected through the VPN Client.

I'm sure there's a setting somewhere I need to change, I'm just not sure what it is.

 

[hmcgillem]

Here's what I have for the ACL:

access-list SplitTunnel permit ip any 172.25.10.0 255.255.255.128

172.25.10.0 is our internal network. I've designated an IP Pool (Remote2) with the addresses of 172.25.10.50 - 172.25.10.65. So, is the above correct for the access list I need to allow internet access while VPN'd into the network?

Heather

 

[LloydSev]

access-list SplitTunnel permit ip <inside net> <mask> <vpn client pool> <mask>
vpngroup MyVPNGroup split-tunnel SplitTunnel



Inside NET = LAN
VPN CLient Pool = IP Pool

And of course you know the masks for both..

It needs to be setup in this order.

Computer/Network Technician
CCNA

 

[hmcgillem]

Is the VPN client pool the actual address pool (i.e. 172.25.10.50 - 172.25.10.65) or is it the IP Address pool name (i.e. Remote2). Also, if it's the former, how do I list the vpn client pool?

 

[LloydSev]

You list the first address of the subnet, with the subnet mask.

Computer/Network Technician
CCNA

 

[hmcgillem]

Great! I've just made a change and will now have to go home to test it. Thanks!!

 

[hmcgillem]

I finally got this to work, but had to basically start from scratch. For some reason, it didn't like it when I enabled Split Tunneling AFTER setting up the VPN stuff. So, I started a new VPN configuration and finally got it to work!! Thanks for all the help!!

Heather