Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
10
Helpful
6
Replies

VPN Internet Access

poperob123
Level 1
Level 1

‎08-29-2005 02:26 AM - edited ‎02-21-2020 01:56 PM

Hi Guys,

The last step of my firewall set-up is the VPN access for my LAN users.

The LAN has internet access and is working fine. When I connect in through the VPN I’m granted an IP from my VPN pool which is on the internal LAN. I can access all my internal hosts but can’t get Internet access. DNS is working fine.

Any thoughts??

Many thanks

Rob.

Labels:
0 Helpful
6 Replies 6

jmia
Level 7
Level 7

‎08-29-2005 03:30 AM

Rob,

Have you got 'split-tunnel' command configured for your vpngroup? If not then enable this by:

vpngroup split-tunnel

Expalnation on split-tunnel:

The vpngroup split-tunnel command is used to enable split tunneling on the PIX firewall. Split tunneling provides access to the corporate network over an encrypted tunnel, while providing clear access to the Internet.

You could also enable:

vpngroup split-dns [domain_name2... domain_name8]

This will allow all private domain queries to your internal DNS servers through the encrypted tunnel, while queries for other domains are sent in cleartext to external DNS servers.

Whilst on this subject, you should enable NAT-Traversal, this will resolve problems when your VPN clients are initiating connections to your internal network if they are behind a NAT device.

To enable NAT-Traversal issue:

isakmp nat-traversal

All of the above commands should be entered in configuration mode and save with command: write mem

Hope this resolves your issues if it does please rate post as others might be looking for similar answers.

Thanks -

Jay

0 Helpful

jmia
Level 7
Level 7
In response to jmia

‎08-29-2005 03:38 AM

Rob,

Also, forgot to add the following link:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

Cheers -

Jay

0 Helpful

poperob123
Level 1
Level 1
In response to jmia

‎08-29-2005 04:59 AM

Thanks guys, I didnt want to use split tunnelling if possible as I want to force the users to use our internet connection rather than their home ADSL. Any ideas?

Thanks

Rob.

0 Helpful

mostiguy
Level 6
Level 6
In response to poperob123

‎08-29-2005 05:13 AM

If you are not using split tunnelling, you need to have the remote users use a web proxy at the corporate office, or have PIX os 7 installed on the pix. Until PIX 7.0, there are no options for traffic to leave the same interface it came in on - this means for end user vpn traffic, their internet traffic cannot be tunnelled as it would go in the outside interface, and out the outside interface - violating the in/out the same interface rule

jmia
Level 7
Level 7
In response to mostiguy

‎08-29-2005 05:26 AM

Rob,

Matt replied before I could, but what he has said is correct. You can achive what you have asked for by upgrading to PIX OS v7.0

Cheers -

Jay

poperob123
Level 1
Level 1
In response to jmia

‎08-29-2005 08:08 AM

Thanks guys, Look like i'm in for another Saturday at work. Got a feeling I need more flash for V7.

Appreciate your help.

Rob.

0 Helpful
Customers Also Viewed These Support Documents