Accessing the Internet via Cisco VPN client and Pix

clightner · ‎06-25-2003

I am trying to allow remote office users who connect over a MAN to access the Internet and my internal network. I can connect to the internal network, via the MAN interface on the Pix (520), but cannot access the Internet. Does anyone see why this doesn't work? I also want to send traffic to another agency through the MAN interface on the Pix. Is this possible (other posts indicate that it is not)?

Details are listed below:

- Encrypted traffic terminates at the MAN interface on the Pix, Internet traffic exits on the Outside interface.

- The MAN is shared by other agencies. Its equipment is not under my control.

- I am using the Cisco VPN Client V4.1 on a W2K workstation.

- I was able to join the domain while connected via the VPN client.

- I can connect to all my internal resources, including servers on other LANs, connected to my LAN via PPP and Frame circuits. These circuits do not go through the Pix.

- I can resolve DNS names when attempting to connect to the Internet.

- I cannot ping the outside interface on my Pix.

Here is the pertinent portion of my config:

*****************************************

access-list 105 permit ip 10.y.x.0 x.x.x.x 10.z.x.x x.x.x.x

access-list 105 permit ip 10.z.x.x x.x.x.x any

ip local pool ippoolset x.x.x.x-x.x.x.x

nat (inside) 0 access-list 105

route outside 0.0.0.0 0.0.0.0 Internet 1

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.75.173.203 ***** timeout 5

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host x.x.x.x ******* timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set setname esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set setname

crypto map setmap 10 ipsec-isakmp dynamic dynmap

crypto map setmap interface ManInterface

isakmp enable ManInterface

isakmp key ******** address x.x.x.x netmask x.x.x.x

isakmp identity address

isakmp client configuration address-pool local ippoolset ManInterface

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup mygroup address-pool ippoolset

vpngroup mygroup dns-server "dns server"

vpngroup mygroup wins-server "wins server"

vpngroup mygroup default-domain "Domain name"

vpngroup mygroup idle-time 1800

vpngroup mygroup password ***********

Any assistance is greatly appreciated.

gfullage · ‎06-25-2003

Do you have something like the following:

> nat (MAN) 5 10.z.x.x x.x.x.x

> global (outside) 5 interface

In other words, if your VPN clients are coming in and being given a 10.z.x.x IP address, this is fine if they're staying on your inside network. If they go out to the Internet though, they need to translated to a globally routable address so that their traffic will get back to you.

Oh, and you won't be able to ping the PIX outside interface from these clients ever, so don't even bother trying. Ping the default gateway of the PIX to verify connectivity through it.

clightner · ‎06-26-2003

I tried adding a nat (man) 5 10.z.x.x x.x.x.x and an additional global command, but it does not route the packets to the outside interface. The VPN users are connecting to the network via the MAN interface (rather than the outside interface).

I have a default route to the outside interface:

outside 0.0.0.0 0.0.0.0 x.x.x.x

My nat commands are all "nat (inside) ...

My global command maps IPs going out the MAN interface to a set of nat'd ip addresses.

I am, obviously, fairly new to the Pix.

Thanks for the help.