Re: no xlate for vpn client

eppiet · ‎06-16-2003

I have vpn clients set up here. The vpn clients have no problem of getting to the internal network. Internal network is working fine. However, I noticed that my vpn clients are unable to browse the internet. The error message is that there is no xlate.

I have the entire internal network nat, which includes the vpn pool.

What do I need to add for the vpn clients be able to browse the net when they vpn in?

Thank you.

shannong · ‎06-16-2003

If the VPN sessions are terminated on a Pix's interface that also serves as the interface for its default route, you cannot do this. The Pix does not allow the packet to enter and leave on the same interface.

You can enable split-tunneling for the client so that they do not send traffic to the Pix accept for what it protects behind it. Or you can use another interfaceon the Pix to terminate the VPNs that is not the default-route interface. This allows packets from VPN clients to enter one interface and exit on another as necessary.

eppiet · ‎06-16-2003

I have already enable split-tunnel.

access-list splitTunnelAcl permit ip any any

Do I need to specify more on the split tunnel?

shannong · ‎06-16-2003

You "enabled" the feature, but you're telling your clients to send everything to you with the "any any" which functionally is the same as no split-tunnel feature. Make the ACL more specific. If you're inside network is 192.168.1.0/24, for example, your split-tunnel ACL would look like this:

access-list splutTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

Any Permit statement is allowed traffic on the tunnel while a Deny means don't send the traffic to the VPN gateway. Anything that is denied is not tunneled and sent out the client's "normal" default gateway and thus not to your Pix.

eppiet · ‎06-17-2003

Thanks. I will try it.