08-08-2007 04:59 AM - edited 03-11-2019 03:55 AM
I have setup a Pix to accept VPN connections from Cisco VPN clients. This is working. However, when I want to browse the Internet, I am unable to do this. Is there a trick to getting traffic turned back around the same interface that I am terminating my VPN clients to? Below are relevant parts of config.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 101 remark Authentication exclusion list
access-list 101 deny icmp any any
access-list 101 deny ip host 172.25.1.99 any
access-list 101 deny ip host 172.25.1.98 any
access-list 101 deny ip host 172.25.1.21 any
access-list 101 deny udp host 172.25.2.21 any eq domain
access-list 101 deny tcp host 172.25.2.21 any eq domain
access-list 101 remark Authentication ports
access-list 101 permit ip any any
access-list nonat permit ip 172.25.0.0 255.255.0.0 172.25.10.0 255.255.255.0
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.27 255.255.255.248
ip address inside 172.25.1.2 255.255.255.0
ip local pool vpnpool 172.25.10.100-172.25.10.199 mask 255.255.255.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.28 172.25.2.21 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.29 172.25.1.21 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host x.x.x.28 eq lotusnotes any
conduit permit tcp host x.x.x.29 eq lotusnotes any
route outside 0.0.0.0 0.0.0.0 x.x.x.25 1
route inside 172.20.0.0 255.255.0.0 172.25.1.1 1
route inside 172.25.2.0 255.255.255.0 172.25.1.1 1
timeout xlate 1:00:00
timeout conn 0:10:00 half-closed 0:05:00 udp 0:02:00 rpc 0:05:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:00:00 absolute uauth 1:00:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 172.24.1.21 internet timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthOutbound protocol tacacs+
aaa-server AuthOutbound max-failed-attempts 3
aaa-server AuthOutbound deadtime 10
aaa-server AuthOutbound (inside) host 172.25.1.21 abc123 timeout 60
aaa-server SUCHRADIUS protocol radius
aaa-server SUCHRADIUS max-failed-attempts 3
aaa-server SUCHRADIUS deadtime 10
aaa-server SUCHRADIUS (inside) host 172.25.1.21 abc123 timeout 60
aaa authentication match 101 inside AuthOutbound
floodguard enable
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap client authentication SUCHRADIUS
crypto map vpnmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
vpngroup CLIENTVPN address-pool vpnpool
vpngroup CLIENTVPN dns-server 172.25.1.21
vpngroup CLIENTVPN default-domain clientvpn.net
vpngroup CLIENTVPN idle-time 1800
vpngroup CLIENTVPN password ********
telnet 172.25.0.0 255.255.0.0 inside
telnet 172.20.0.0 255.255.0.0 inside
08-08-2007 05:18 AM
This function is only available on pix/asa version 7.
You can use split tunneling in version 6.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide