Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
0
Helpful
2
Replies

VPN client cannot connect to Internet

brian975
Level 1
Level 1

‎06-29-2004 01:42 PM - edited ‎02-21-2020 01:13 PM

I am having trouble seeing the Internet while connected by VPN to my PIX 515E (v6.3.1). I am doing PPTP with Windows XP clients and local authentication. I can connect very quickly with no problems and can see the internal network – I just can’t see the Internet.

Can someone take a look at my configuration and tell me what I’m doing wrong?

The Syslog shows the following messages when I try to connect to Google:

<163>Jun 29 2004 14:19:31: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:192.55.9.32/1161 dst out-side:66.102.7.99/80

IPconfig shows that the default gateway on the client is the same as the client's IP address. I would think that this should be the address of the PIX but I haven't found where to change that setting.

NOTE: the config will follow in the next message because it is too big to fit with theis message.

Labels:
0 Helpful
2 Replies 2

brian975
Level 1
Level 1

‎06-29-2004 01:44 PM

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list acl_out permit tcp any host 12.45.xx.xx eq https

access-list acl_out permit tcp any host 12.45.xx.xx eq ssh log 5

access-list acl_out permit tcp any host 12.45.xx.xx eq 3389

access-list acl_out permit tcp any host 12.45.xx.xx eq https

access-list acl_out permit tcp any host 12.45.xx.xx eq smtp

access-list acl_out permit tcp any host 12.45.xx.xx eq www

access-list inside_outbound_nat0_acl permit ip any 192.55.9.0 255.255.255.192

logging host inside 192.55.9.81

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 12.45.xx.xx 255.255.255.0

ip address inside 192.55.9.10 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_Pool 192.55.9.30-192.55.9.39

pdm location 192.55.9.81 255.255.255.255 inside

pdm location 192.55.11.0 255.255.255.0 inside

pdm location 0.0.0.0 255.255.255.0 inside

pdm location 192.55.9.1 255.255.255.255 inside

pdm location 12.45.xx.xx 255.255.255.255 outside

pdm location 192.55.9.5 255.255.255.255 inside

pdm location 192.55.9.3 255.255.255.255 inside

pdm location 192.55.9.0 255.255.255.192 outside

pdm location 192.55.9.2 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 12.45.xx.xx 3389 192.55.9.5 3389 netmask 255.255.255.255 0 0

static (inside,outside) 12.45.xx.xx 192.55.9.1 netmask 255.255.255.255 0 0

static (inside,outside) 12.45.xx.xx 192.55.9.3 netmask 255.255.255.255 0 0

static (inside,outside) 12.45.xx.xx 192.55.9.2 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

rip inside passive version 2

route outside 0.0.0.0 0.0.0.0 12.45.xx.xx 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

url-server (inside) vendor websense host 192.55.9.2 timeout 5 protocol TCP version 1

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

ntp server 192.5.41.41 source outside

ntp server 131.107.1.10 source outside prefer

http server enable

http 192.55.9.0 255.255.255.0 inside

http 192.55.11.0 255.255.255.0 inside

snmp-server location (my location)

snmp-server contact (my name)

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.55.9.81 /pix_config

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

vpngroup PPTP-VPDN-GROUP split-tunnel inside_outbound_nat0_acl

vpngroup PPTP-VPDN-GROUP idle-time 1800

telnet 192.55.9.0 255.255.255.0 inside

telnet 192.55.11.0 255.255.255.0 inside

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 required

vpdn group PPTP-VPDN-GROUP client configuration address local VPN_Pool

vpdn group PPTP-VPDN-GROUP client configuration dns 192.55.9.5 192.55.9.2

vpdn group PPTP-VPDN-GROUP client configuration wins 192.55.9.5 192.55.9.2

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn group 1 client authentication local

vpdn username Beth password *********

vpdn username Betty password *********

vpdn username Rick password *********

vpdn username Judi password *********

vpdn username BrianL password *********

vpdn enable outside

0 Helpful

ehirsel
Level 6
Level 6
In response to brian975

‎06-30-2004 06:44 AM

The issue is that you are wanting traffic to flow outside of the same interface upon which it came in on. The pix code will not allow you to do this. You will either need to setup a internal proxy server and have clients establish outside connections via that proxy, or use another interface on the pix (physical or logical) and have the vpn connections terminate on the 3rd interface - with this you will need another set of ip addresses from your provider and that may not be possible depending upon how you connect to your provider.

0 Helpful
Customers Also Viewed These Support Documents