08-29-2005 02:26 AM - edited 02-21-2020 01:56 PM
Hi Guys,
The last step of my firewall set-up is the VPN access for my LAN users.
The LAN has internet access and is working fine. When I connect in through the VPN Im granted an IP from my VPN pool which is on the internal LAN. I can access all my internal hosts but cant get Internet access. DNS is working fine.
Any thoughts??
Many thanks
Rob.
08-29-2005 03:30 AM
Rob,
Have you got 'split-tunnel' command configured for your vpngroup? If not then enable this by:
vpngroup
Expalnation on split-tunnel:
The vpngroup split-tunnel command is used to enable split tunneling on the PIX firewall. Split tunneling provides access to the corporate network over an encrypted tunnel, while providing clear access to the Internet.
You could also enable:
vpngroup
This will allow all private domain queries to your internal DNS servers through the encrypted tunnel, while queries for other domains are sent in cleartext to external DNS servers.
Whilst on this subject, you should enable NAT-Traversal, this will resolve problems when your VPN clients are initiating connections to your internal network if they are behind a NAT device.
To enable NAT-Traversal issue:
isakmp nat-traversal
All of the above commands should be entered in configuration mode and save with command: write mem
Hope this resolves your issues if it does please rate post as others might be looking for similar answers.
Thanks -
Jay
08-29-2005 03:38 AM
Rob,
Also, forgot to add the following link:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
Cheers -
Jay
08-29-2005 04:59 AM
Thanks guys, I didnt want to use split tunnelling if possible as I want to force the users to use our internet connection rather than their home ADSL. Any ideas?
Thanks
Rob.
08-29-2005 05:13 AM
If you are not using split tunnelling, you need to have the remote users use a web proxy at the corporate office, or have PIX os 7 installed on the pix. Until PIX 7.0, there are no options for traffic to leave the same interface it came in on - this means for end user vpn traffic, their internet traffic cannot be tunnelled as it would go in the outside interface, and out the outside interface - violating the in/out the same interface rule
08-29-2005 05:26 AM
Rob,
Matt replied before I could, but what he has said is correct. You can achive what you have asked for by upgrading to PIX OS v7.0
Cheers -
Jay
08-29-2005 08:08 AM
Thanks guys, Look like i'm in for another Saturday at work. Got a feeling I need more flash for V7.
Appreciate your help.
Rob.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide