# PIX 515 Remote Access VPN Connectivity



## qwaven (Nov 22, 2007)

Hello,

I am running a PIX 515 and I am having trouble getting the remote access VPN to work properly. 

I can connect to the PIX from an external source but...

Problems:

1. I notice the gateway or routes assigned to the VPN client do not exist. -How can I set this or make it work properly?

2. I am unable to browse any internal network and the only way I can access the internet is with Split-Tunneling enabled which is not what I want as it just uses the remote clients internet. 


What I want the VPN to do:

Allow VPN users full access to all internal network resources and have the VPN remote access client make use of the firewalls internet as apposed to its own. 

Below I have posted my configuration for the PIX and route's that I see on the client side.

I will also note I am using OBSD SSH as a test for access from the VPN. Normally without the VPN access works fine. 

PIX CONFIGURATION:


```
:
PIX Version 7.2(1) 
!
hostname firewall
domain-name firewall.com
enable password hjhVds8qp9x?q9hg4876 encrypted
names
!
interface Ethernet0
 nameif OUTSIDE
 security-level 0
 pppoe client vpdn group internet
 ip address pppoe setroute 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.35.2 255.255.255.0 
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 76henbdgr7,376oNARE encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
dns server-group DefaultDNS
 domain-name firewall.com
access-list OUTSIDE_access_in remark SSH TO OBSD STARTED
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq www log notifications 
access-list VPN_splitTunnelAcl standard permit 192.168.35.0 255.255.255.0 
access-list VPN_splitTunnelAcl standard permit 10.200.50.0 255.255.255.0 
access-list VPN_splitTunnelAcl standard permit 10.200.51.0 255.255.255.0 
access-list VPN_splitTunnelAcl standard permit 10.200.52.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 10.200.53.0 255.255.255.224 
access-list inside_nat0_outbound extended permit ip 10.200.50.0 255.255.255.0 10.200.53.0 255.255.255.224 
access-list inside_nat0_outbound extended permit ip 10.200.51.0 255.255.255.0 10.200.53.0 255.255.255.224 
access-list inside_nat0_outbound extended permit ip 10.200.52.0 255.255.255.0 10.200.53.0 255.255.255.224 
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu inside 1500
ip local pool VPNPOOL 10.200.53.10-10.200.53.20 mask 255.255.255.0
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,OUTSIDE) tcp interface www 192.168.35.1 ssh netmask 255.255.255.255 
access-group OUTSIDE_access_in in interface OUTSIDE
route inside 10.200.50.0 255.255.255.0 192.168.35.1 1
route inside 10.200.51.0 255.255.255.0 192.168.35.1 1
route inside 10.200.52.0 255.255.255.0 192.168.35.1 1
route inside 172.16.25.0 255.255.255.0 192.168.35.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPN internal
group-policy VPN attributes
 dns-server value 199.35.32.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list none
username user1 password HwKK8FJf7kptiidf87 encrypted privilege 0
username user1 attributes
 vpn-group-policy VPN
http server enable
http 192.168.35.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map OUTSIDE_dyn_map 20 set pfs 
crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 20 set reverse-route
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPNPOOL
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key ****
vpn-sessiondb max-session-limit 2
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group internet request dialout pppoe
vpdn group internet localname ***************
vpdn group internet ppp authentication pap
vpdn username ************ password ********* 
dhcpd address 192.168.35.3-192.168.35.254 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:42c5fd53f3fa15czze43933h0aucc9743
: end
```

VPN CLIENT INFO


```
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.200.53.1    10.200.53.10	  1
      10.200.53.0    255.255.255.0     10.200.53.10    10.200.53.10	  20
     10.200.53.10  255.255.255.255        127.0.0.1       127.0.0.1	  20
   10.255.255.255  255.255.255.255     10.200.53.10    10.200.53.10	  20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
      172.16.25.0    255.255.255.0     172.16.25.30    172.16.25.30	  20
      172.16.25.0    255.255.255.0      10.200.53.1    10.200.53.10	  20
      172.16.25.2  255.255.255.255     172.16.25.30    172.16.25.30	  1
     172.16.25.30  255.255.255.255        127.0.0.1       127.0.0.1	  20
   172.16.255.255  255.255.255.255     172.16.25.30    172.16.25.30	  20
   199.10.20.12  255.255.255.255      172.16.25.2    172.16.25.30	  1
        224.0.0.0        240.0.0.0     10.200.53.10    10.200.53.10	  20
        224.0.0.0        240.0.0.0     172.16.25.30    172.16.25.30	  20
  255.255.255.255  255.255.255.255     10.200.53.10               2	  1
  255.255.255.255  255.255.255.255     10.200.53.10    10.200.53.10	  1
  255.255.255.255  255.255.255.255     172.16.25.30    172.16.25.30	  1
Default Gateway:       10.200.53.1
===========================================================================
```


```
Connection-specific DNS Suffix  . : 

        Description . . . . . . . . . . . : Cisco Systems VPN Adapter

        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00

        Dhcp Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 10.200.53.10

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 10.200.53.1

        DNS Servers . . . . . . . . . . . : 199.35.32.11
```
I would prefer to be able to use the GUI/web access but I can also input CLI if needed. 

Anyway your help would be greatly appreciated. 

Thanks!


----------



## IT Helpp (Apr 7, 2008)

If you have "Use Default Gateway On Remote Network" unchecked on the client side, your easiest solution will be to create a HOSTS file with the appropriate server IPs and instll on the client side.


----------



## qwaven (Nov 22, 2007)

Hi thanks for replying.

I am not sure what you mean by this "If you have "Use Default Gateway On Remote Network" unchecked" I see no option. 

Surely there is a way I can get the VPN to provide all necessary information rather than a HOSTS file. I don't want to have to rely on that should I not be connecting from the same PC or something. 

Please let me know 
Thanks


----------



## IT Helpp (Apr 7, 2008)

Actually, in your case you need to make sure the Gateway Box is checked. Also, make sure that you are using DHCP and the computer is registered in the server DNS after the connection is established.

http://www.ithelpp.com/freesupport/vpn_gateway.htm


----------



## qwaven (Nov 22, 2007)

Hi,

I'm using Cisco VPN not Windows. 

Also isnt there a way I can setup the PIX to not require an internal DNS server? Surely there is a way to specify the gateway...etc?

Is there any step by step guide relevant to my situation? 

Anyway please let me know.
Thanks


----------

