Solved: Re: PIX and ASA VPN question

techtips03 · ‎12-18-2007

Hi

I have a remote user logging into a PIX506E through Microsoft Windows PPTP client. And once on VPN, he is not able to access his Internet. I believe it is a characteristic of software VPN but is there anyway he can browse the Internet changing routing tables etc or which way is best to go with?

As an alternative, if I use ASA unit, I know this doesnt support PPTP and wanted to know if there is another way to go with other than using Cisco VPN client.

Typically, I would like to use PIX506E without additional VPN client and able to browse the Internet if possible.

Please advise

bob.bartlett · ‎12-29-2007

Ok 2 things one, yes you are correct that you need an ACL for your Remote clients but that is a standard access list like the one above. Secondly you do need to add the remote VPN IP space to your existing nonat access list. DO NOT remove your others just add the IP space you are using for your VPN clients. example below

access-list nonat permit ip (Internal addresss space) (VPN client DHCP address space)

View solution in original post

Richard Burts · ‎12-18-2007

What version of code is the PIX running. In PIX code up through 6.3.5 one of the characteristics of the PIX is that it will not forward traffic out the interface on which it was received. The result of this is that a user who connects via VPN and comes in through the outside/public interface can not be forwarded back out the outside/public interface to access the Internet.

In release 7 and later Cisco introduced an optional feature which allows the PIX to forward back out the same interface. So if the PIX is currently running earlier than 7 code the behavior that you are experiencing is expected behavior. If you upgrade to version 7 code you may be able to get around this.

HTH

Rick

HTH

Rick

techtips03 · ‎12-19-2007

Hi Rick

Thanks for the response. But I dont think PIX506E doesnt support 7.0 version.

Any other ideas on this or should I go for L2TP or through Cisco VPN client and configure split tunneling?

Thanks

hwknight53 · ‎12-19-2007

You're right. The 506E doesn't support v7. We use the Cisco Client with split tunneling.

Wes

palomoj · ‎12-19-2007

Its not a PIX configuration, its a PPTP client configuration. If you uncheck the box where it says to use the default gateway on the remote network (TCPIP properties) you will have split tunneling via the client.

techtips03 · ‎12-19-2007

Yes, I tried PPTP configuration with unchecking the default gateway. I guess I was able to browse but definitely not able to do anything on VPN. So it seems that either one of them only work.

And if I want to go for split tunneling, I should definitely use Cisco VPN client right?

Just to add I already have a VPN tunnel between 2 locations and will have to give remote access to the users from home.

And is this link good enough to follow.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

hwknight53 · ‎12-20-2007

The problem with just unchecking the Default Gateway box is that the client maybe confused about which traffic should go through the VPN and which traffic should not. In the example that you referenced, the command "vpngroup vpn3000 split-tunnel 101" uses access list 101 to define which traffic should travel over the VPN.

You don't have to use the Cisco client. There are other ones out there that will split tunnel. It just that the Cisco client is what I/we know.

Wes

techtips03 · ‎12-20-2007

Hi Wes

Thanks for your response. So I understand that I have to go for any VPN client and configure Split tunnel on PIX/ASA units. I would probably go for Cisco VPN client instead of others.

As I mentioned that I have a site-site VPN as well along with remote client VPN. Can you please confirm if this config works.

techtips03 · ‎12-20-2007

Here is the config below. I already have site-site config as below and works fine.

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list 102 permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map VPN 1 ipsec-isakmp

crypto map VPN 1 match address 102

crypto map VPN 1 set pfs

crypto map VPN 1 set peer x.x.x.x

crypto map VPN 1 set transform-set myset

crypto map VPN interface outside

isakmp enable outside

isakmp key ******* address x.x.x.x netmask 255.255.255.255 no-xauth

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 3200

Can you please confirm adding below config for remote VPN works well along with site-site VPN.

ip local pool vpn-clients 192.168.2.10-192.168.2.50

access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0

vpngroup vpn3000 split-tunnel nonat

crypto dynamic-map dynmap 1 set transform-set myset

crypto map VPN 20 ipsec-isakmp dynamic dynmap

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server 10.10.10.2

vpngroup vpn3000 wins-server 10.10.10.2

vpngroup vpn3000 default-domain cisco.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

Couple of questions here

As I am using acl 'nonat' for both site-site and remote VPN and using the same acl for split tunnel, does nonat acl conflict with site-site command

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

And can I just use group1 and sha (hash) for remote VPN client? I see some docs show that I should only use group2.

hwknight53 · ‎12-21-2007

Yes, it conflicts. Name the acl "access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0 " to something else.

You can use which ever DH group you want as long as both ends support it. Some of the Cisco clients and devices don't support DH group1. I think that's what you're seeing in the docs.

I'll only check in once more today and then it's home for the holidays. Good luck and have a great Christmas.

Wes

Please rate the posts if they are helpful.

techtips03 · ‎12-21-2007

Thank you. I thought it would create a problem and I dont understand something here. As both site-site and remote VPN need nat 0 command, I belive PIX/ASA accepts only 1 nat0 command and if I add the second one, I remember the first one is deleted.

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0 - site-site

access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0 - remote

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 0 access-list nonat - site-site

nat (inside) 0 access-list 100 - remote and I guess I cant add this? So where do I apply acl 100 for nat 0 command

vpngroup vpn3000 split-tunnel 100

Do you have this setup in place? If so can you please send me the sample config. I dont think I need an outage to have this in place right?

And if I use ASA, "same security intra-interface" add any benefit?

Thanks

acomiskey · ‎12-21-2007

You only need to have 1 nat 0 acl. As you found out you can't add another.

techtips03 · ‎12-21-2007

Then I dont think it works for VPN group to access Internet when connected to VPN

hwknight53 · ‎12-21-2007

I shouldn't try to answer questions when I'm in a hurry. Sorry.

I can't get to our equipment know, so this is off the top of my head. You are right. Only one nat0 is allowed. Rename the second nonat acl. So it should look like:

access-list vpn permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0

vpngroup vpn3000 split-tunnel vpn

Wes

palomoj · ‎12-21-2007

This should fix you...

!

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption des

isakmp policy 2 hash sha

isakmp policy 2 group 2

!

access-list SPLIT permit 10.10.10.0 255.255.255.0

!

no vpngroup vpn3000 split-tunnel nonat

!

vpngroup vpn3000 split-tunnel SPLIT

!

isakmp nat-traversal

!