Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
1
Replies

VPN Client to Pix, Web Browsing

mruhenkamp
Level 1
Level 1

‎08-08-2007 04:59 AM - edited ‎03-11-2019 03:55 AM

I have setup a Pix to accept VPN connections from Cisco VPN clients. This is working. However, when I want to browse the Internet, I am unable to do this. Is there a trick to getting traffic turned back around the same interface that I am terminating my VPN clients to? Below are relevant parts of config.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

access-list 101 remark Authentication exclusion list

access-list 101 deny icmp any any

access-list 101 deny ip host 172.25.1.99 any

access-list 101 deny ip host 172.25.1.98 any

access-list 101 deny ip host 172.25.1.21 any

access-list 101 deny udp host 172.25.2.21 any eq domain

access-list 101 deny tcp host 172.25.2.21 any eq domain

access-list 101 remark Authentication ports

access-list 101 permit ip any any

access-list nonat permit ip 172.25.0.0 255.255.0.0 172.25.10.0 255.255.255.0

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.27 255.255.255.248

ip address inside 172.25.1.2 255.255.255.0

ip local pool vpnpool 172.25.10.100-172.25.10.199 mask 255.255.255.0

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.28 172.25.2.21 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.29 172.25.1.21 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host x.x.x.28 eq lotusnotes any

conduit permit tcp host x.x.x.29 eq lotusnotes any

route outside 0.0.0.0 0.0.0.0 x.x.x.25 1

route inside 172.20.0.0 255.255.0.0 172.25.1.1 1

route inside 172.25.2.0 255.255.255.0 172.25.1.1 1

timeout xlate 1:00:00

timeout conn 0:10:00 half-closed 0:05:00 udp 0:02:00 rpc 0:05:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:00:00 absolute uauth 1:00:00 inactivity

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 172.24.1.21 internet timeout 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server AuthOutbound protocol tacacs+

aaa-server AuthOutbound max-failed-attempts 3

aaa-server AuthOutbound deadtime 10

aaa-server AuthOutbound (inside) host 172.25.1.21 abc123 timeout 60

aaa-server SUCHRADIUS protocol radius

aaa-server SUCHRADIUS max-failed-attempts 3

aaa-server SUCHRADIUS deadtime 10

aaa-server SUCHRADIUS (inside) host 172.25.1.21 abc123 timeout 60

aaa authentication match 101 inside AuthOutbound

floodguard enable

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap client configuration address initiate

crypto map vpnmap client configuration address respond

crypto map vpnmap client authentication SUCHRADIUS

crypto map vpnmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

vpngroup CLIENTVPN address-pool vpnpool

vpngroup CLIENTVPN dns-server 172.25.1.21

vpngroup CLIENTVPN default-domain clientvpn.net

vpngroup CLIENTVPN idle-time 1800

vpngroup CLIENTVPN password ********

telnet 172.25.0.0 255.255.0.0 inside

telnet 172.20.0.0 255.255.0.0 inside

Labels:
0 Helpful
1 Reply 1

acomiskey
Level 10
Level 10

‎08-08-2007 05:18 AM

This function is only available on pix/asa version 7.

You can use split tunneling in version 6.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card