RE: VPN3000 client to Pix: what's up with VPN POOL?

Thu, 04 Oct 2001 00:13:35 -0700

Thats a bit of a tricky one that I have had some troubles with too ...... to cure your problems you need to enable split tunneling. This will then direct only the traffic destined for your net down the VPN tunnel. The rest will leave your normal internet connection. However you are of course opening yourself up for attacks from the internet that can possibly use your client to get access to your net. At the moment all packets are sent down the tunnel and from your host the firewall doesn't know about a connection that you might be trying to establish to say a web server, thats why you get the No xlate.
 
I'm still working on a way to get this to work without split tunneling. If anyone has got this going info would be greatly appreciated. This particularly applies to using PPTP where you dont have the opion to set a split tunnnel.
 
Thanks
Mark
-----Original Message-----
From: Jason Yuan [mailto:[EMAIL PROTECTED]]
Sent: 04 October 2001 01:22
To: [EMAIL PROTECTED]
Subject: VPN3000 client to Pix: what's up with VPN POOL?

Hi, I have tried to configured a VPN3000 client configuration to my Pix as an evaluation process; I think I have got the client configured.  (CLI is no easy task for me; needless to say the debugging nightmare) I am now able to connect to the network behind the pix via a VPN tunnel. 

However, when I try to access the public internet from the client.  I am unable to do so.  It seems all traffic (regardless if it's going to the protected VPN domain or public domain) are encrypted.  It seems that pix is blocking the packet once it is decrypted:

PIX DEBUG:106011: Deny inbound (No xlate) icmp src outside:222.222.222.1 dst outside:10.3)

pix configuration

access-list jason-vpn permit ip 222.222.222.0 255.255.255.0 any
global (outside) 2 10.3.20.136
nat (inside) 2 222.222.222.0 255.255.255.0 0 0
ip local pool vpn-pool 222.222.222.1-222.222.222.5
vpngroup vpn3000 address-pool vpn-pool

Any tips, suggestions would be appreciated!

Jason



Jason Yuan
Consultant
Niles Associates
Tel: 510-385-3988
Fax: 815-327-6544


Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. Yahoo! by Phone.

Reply via email to