Cisco Community
English
Register
Welcome Cisco Designated VIP 2021 Class in the 10th Year Anniversary of the Program -- CHECK THE LIST
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
268
Views
0
Helpful
6
Replies
Highlighted
dkim777oig
Beginner
Beginner
‎06-05-2008 12:02 PM
‎06-05-2008 12:02 PM

Can't access outside or internet once connected

I have pix 525 with 8.03 ios and adsm 6 installed.

remote vpn configured fine, cisco vpn client installed fine.

but after the connection, I can't access any hosts outside of 10.0.0.x(inside) subnet.

I can't even ping my outside NIC 129.2.28.100

anyideas?

attached is my config.

Labels:
Preview file
4 KB
0 Helpful
Reply
6 REPLIES 6
Highlighted
msubtain
Beginner
Beginner
‎06-05-2008 07:37 PM
‎06-05-2008 07:37 PM

I can not access your config for some reason, can you post it here?

check few things, have you enabled split tunneling? if yes have you defined network list?

0 Helpful
Reply
Highlighted
dkim777oig
Beginner
Beginner
In response to msubtain
‎06-06-2008 05:19 AM
‎06-06-2008 05:19 AM

sorry, somehow expiration date was the same date as post date.

-----------------------------------------

PIX Version 8.0(3)

!

hostname was-pix

domain-name home

enable password xxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 129.2.28.100 255.255.255.128

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name home

access-list outside_access_in extended permit ip any any

access-list outside_access_in_1 extended permit ip host 129.2.28.56 any

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool vpn-pool 10.0.0.100-10.0.0.199 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

access-group outside_access_in_1 in interface outside control-plane

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 158.70.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.2 255.255.255.255 inside

http 129.2.28.56 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 129.2.28.56 255.255.255.255 outside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics

ntp server 129.2.146.90 source outside

group-policy vpn-group internal

group-policy vpn-group attributes

dns-server value 129.2.146.90

vpn-tunnel-protocol IPSec

default-domain value home

username user1 password xxx encrypted privilege 0

username user1 attributes

vpn-group-policy vpn-group

tunnel-group vpn-group type remote-access

tunnel-group vpn-group general-attributes

address-pool vpn-pool

default-group-policy vpn-group

tunnel-group vpn-group ipsec-attributes

pre-shared-key *

!

!

prompt hostname context

Cryptochecksum:xxxx

: end

0 Helpful
Reply
Highlighted
singhsaju
Enthusiast
Enthusiast
In response to dkim777oig
‎06-06-2008 06:09 AM
‎06-06-2008 06:09 AM

You have to configure split tunnel in order to access internet , outside etc. Following is the link to configure the same using CLI:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#steps

Rate the post if it helps.

Thanks

Saju

0 Helpful
Reply
Highlighted
dkim777oig
Beginner
Beginner
In response to singhsaju
‎06-06-2008 06:48 AM
‎06-06-2008 06:48 AM

Well, I want ALL traffic(including internet) to go through VPN, therefore I haven't enabled split tunnel.

Is there any other way?

Thanks

0 Helpful
Reply
Highlighted
singhsaju
Enthusiast
Enthusiast
In response to dkim777oig
‎06-06-2008 08:42 AM
‎06-06-2008 08:42 AM

By Design PIX/ASA does not rediredt traffic on same interface . Try enabling it by using command "same-security-traffic permit intra-interface"

See in following document :

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#topic2

Let me know if it works or not

0 Helpful
Reply
Highlighted
singhsaju
Enthusiast
Enthusiast
In response to dkim777oig
‎06-06-2008 11:00 AM
‎06-06-2008 11:00 AM

Also check this link out . It may help you.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

0 Helpful
Reply
Latest Contents
AMP for Endpoints: Get started with SecureX Orchestration!
Created by deaguo on 01-23-2021 11:27 PM
0
10
0
10
What is SecureX? Cisco SecureX is included with all Secure Endpoint (formerly AMP for Endpoints) subscriptions. SecureX is a cloud-native platform that aggregates capabilities across your security environment. It’s designed to simplify your environment, ... view more
ISE Secure Wired Access Prescriptive Deployment Guide
Created by hariholla on 01-21-2021 12:41 PM
13
155
13
155
  Cisco ISE Secure Wired Access Prescriptive Deployment Guide   Authors: Hariprasad Holla (until June 2018), Mahesh Nagireddy (until Dec 2018)   For an offline or printed copy of this document, simply choose ⋮ Options > Printer ... view more
SecureX and the Evolution of Security Orchestration Automati...
Created by ciscomoderator on 01-20-2021 02:50 PM
0
0
0
0
Meet the Authors Slides- SecureX and the Evolution of Security Orchestration Automation and Response (Live event – Wednesday, 20th, 2021 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 6:00 p.m. Paris) This event had place on Wednesday 20th, January 202... view more
Cisco Endpoint Security Analytics (CESA) dashboard overview ...
Created by Jason Kunst on 01-19-2021 12:35 PM
0
0
0
0
The following guide goes over the in and out of the Cisco Endpoints Security Analytics Dashboard as an overview and faq page For more information on the product offering, licensing, support, and how to solution (TAC) guide links and more please visit the... view more
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:48 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
Content for Community-Ad

This widget could not be displayed.