×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Can't access internet over VPN tunnel

Can't access internet over VPN tunnel

Can't access internet over VPN tunnel

(OP)
Hello,

I have a Cisco Pix 501 configured at home for VPN access. Using the Cisco VPN client software, I can connect to my home network and access resources behind my Pix. However, I can't reach the Internet from my VPN client.  Looking at my Pix logs, I see the following error messages:

Dec 31 16:23:54 192.168.1.1 Dec 31 2010 16:24:04: %PIX-6-110001: No route to 8.8.4.4 from 172.16.0.1
Dec 31 16:24:07 192.168.1.1 Dec 31 2010 16:24:16: %PIX-6-110001: No route to 8.8.8.8 from 172.16.0.1

The 172.16.0.1 is my VPN client and the 8.8.8.8 and 8.8.4.4 are Google DNS servers.

Systems on my home network are able to access the Internet  (That's how I'm posting this question).

This VPN configuration was created using the PDM VPN Wizard GUI.  Any thoughts on how to fix this?

Thanks,

Rob

RE: Can't access internet over VPN tunnel

Just a hunch, but it sounds like the virtual network interface for the VPN connection lacks a default gateway.  I would start by looking at the existing configuration for this interface and see if you can modify it either directly or through the wizard tool.

RE: Can't access internet over VPN tunnel

(OP)
Hello Noway2,

The Pix doesn't create a virtual interface, that I know of, for the VPN connection.  When the VPN connection is up and I do a show int, only the inside and outside interfaces are displayed.  Do you know of another command I should use to show the VPN interface (if it exists)?

Thanks,

Rob

RE: Can't access internet over VPN tunnel

The virtual adapter would be on the client end rather than the PIX.  For example, on my (work) laptop which uses the CISCO client, I have a LAN connection for the Cisco client.  

One simple way to get at this information would be to connect via VPN and then pull up a CMD prompt and type ipconfig or ipconfig /all.  This should show you the network configurations.

I think you will find that you have an IP address, e.g. 172.16.0.1 and and appropriate mask, e.g. 255.255.255.0, but no gateway.  Consequently when connected via VPN you can route your LAN, but not beyond.

One other command that can provide a lot of information is: 'route print' from a command prompt.  This will show you how an attempt to reach various destinations will be made.
 

RE: Can't access internet over VPN tunnel

the 501 doesn't permit hairpinning network connections. try configuring the vpn profile to use split-tunneling.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

RE: Can't access internet over VPN tunnel

(OP)
Hello Unclerico,

Would a site-to-site tunnel using two Pix 501 firewalls allow me to surf the Internet over VPN?

Thanks,

Rob

RE: Can't access internet over VPN tunnel

no. traffic would be entering and exiting the same interface on the device that will be providing the internet access.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close