cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1480
Views
0
Helpful
3
Replies

Vpn client can access internet but cannot access internal network

aqswdefrgt
Level 1
Level 1

I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....

3 Replies 3

aqswdefrgt
Level 1
Level 1

enable password ********** encrypted

passwd ********** encrypted

hostname Firewall

domain-name aqswdefrgt.com.sg

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list nat permit tcp any host 65.165.123.142 eq smtp

access-list nat permit tcp any host 65.165.123.142 eq pop3

access-list nat permit tcp any host 65.165.123.143 eq smtp

access-list nat permit tcp any host 65.165.123.143 eq pop3

access-list nat permit tcp any host 65.165.123.143 eq www

access-list nat permit tcp any host 65.165.123.152 eq smtp

access-list nat permit tcp any host 65.165.123.152 eq pop3

access-list nat permit tcp any host 65.165.123.152 eq www

access-list nat permit tcp any host 65.165.123.143 eq https

access-list nat permit icmp any any

ip address outside 65.165.123.4 255.255.255.240

ip address inside 192.168.1.2 255.255.255.0

ip verify reverse-path interface outside

ip local pool clientpool 192.168.50.1-192.168.50.50

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255

.255 0 0

static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.

255.255 0 0

static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.

255.255 0 0

static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25

5.255 0 0

static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255

.255.255 0 0

access-group nat in interface outside

route outside 0.0.0.0 0.0.0.0 65.165.123.1 1

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server plexus protocol radius

aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map client authentication plexus

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup vpn3000 address-pool clientpool

vpngroup vpn3000 dns-server 192.168.1.55

vpngroup vpn3000 wins-server 192.168.1.55

vpngroup vpn3000 default-domain aqswdefrgt.com.sg

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

the command "vpngroup vpn3000 split-tunnel 100" seems missing.

also it's worth to apply these two commands as well "isakmp identity address" and "isakmp nat-traversal 20".

zkalwar123
Level 1
Level 1

add these lines and it should work then as these lines are for encrypting the traffic

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

crypto map dyn-map 20 match address 110

Review Cisco Networking for a $25 gift card