03-18-2004 12:10 AM - edited 02-21-2020 01:04 PM
Hi all
I have PIX 506E IOS 6.0 and using VPN client ver 4. VPN client connected successfully and got IP from pool on PIX. But can't brows LAN or access e-mail server
ip local pool ippool 10.10.10.65-10.10.10.75
access-list 101 permit ip 168.x.x
.2 255.255.255.224 10.10.10.0 255.255.255.0
ip address outside 168.121.x.x.x.255.224
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ciscoVPN esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set ciscoVPN
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ciscoVPN address-pool ippool
vpngroup ciscoVPN dns-server 10.10.10.30
vpngroup ciscoVPN wins-server 10.10.10.31
vpngroup ciscoVPN default-domain cisco.com
vpngroup ciscoVPN split-tunnel 101
vpngroup ciscoVPN idle-time 1800
vpngroup ciscoVPN password cisco
03-18-2004 12:42 AM
Samir,
Have a read of this PDF document, which will explain/show how to setup VPN Client access to private LAN etc, read the section: Setting up local LAN Access for the VPN Client.
Hope this helps and let me know how you got on.
Jay
03-18-2004 04:24 AM
your access list for nat 0 and split tunnel looks incorrect. you want it to match traffic from the inside interface subnet (and any other internal subnets) to the ip local pool address space. you are matching traffic only from the outside interface to the ip local pool.
03-18-2004 04:49 AM
This configuration is working good before when our server is WIN2K. and now server is chenged to 2003
Are there any settings related to 2003 server??
03-18-2004 06:20 AM
I cannot think of any reason why 2003 would be different. The 2003 server is on the inside interface of the pix right? I doubt you can ping it from a vpn connected client because it looks to me like the crypto access list/nat 0 access list is wrong
03-18-2004 06:47 AM
Please check to see if the Internet Connection Firewall is enabled on the 2003 server.
Please remember to rate all replies
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide