Question : Vpn tunnel with VPN client works fine, but no internet access anymore

Hello all,
I have a PIX 501 firewall at home. I programmed with the PDM manager a VPN client. I am using the Cisco client to access my home PIX 501.

The VPN connection works fine, but I don't have any internet access anymore after I build the tunnel.

There must be something wrong in the route, the config is shown below:
: Saved
: Written by enable_15 at 16:45:34.346 CEST Thu Feb 7 2008
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 10htpePS/vtVvnu7 encrypted
passwd 10htpePS/vtVvnu7 encrypted
hostname MJMSTUDIO-ARNHEM
domain-name mjmstudio.nl
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 20
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.19.4 ROADRUNNER
name 192.168.19.3 ZAXXON
name 192.168.19.10 GOOFY
name 192.168.19.5 ASUS-WL
name 192.168.19.100 DELL1700N
name 192.168.19.0 ArnhemNet
name ..172.15 mjmstudio.nl
access-list acl_inside permit ip any any
access-list acl_inside permit tcp any eq telnet any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq 5900
access-list outside_access_in permit tcp any interface outside eq 5800
access-list outside_access_in permit tcp any interface outside eq ftp-data
access-list outside_access_in permit tcp any interface outside eq ftp
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq 18190
access-list outside_access_in permit tcp any interface outside eq smtp
access-list inside_outbound_nat0_acl permit ip any 192.168.19.128 255.255.255.248
access-list inside_outbound_nat0_acl permit ip ArnhemNet 255.255.255.0 192.168.199.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip any 192.168.38.96 255.255.255.224
access-list vpnremote_splitTunnelAcl permit ip ArnhemNet 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.38.96 255.255.255.224
access-list mjmstudio_splitTunnelAcl permit ip any any
access-list inbound permit udp any any eq 119
access-list inbound permit tcp any any eq https
access-list inbound permit tcp any any eq nntp
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp retry 4
ip address inside 192.168.19.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.38.100-192.168.38.125
pdm location ZAXXON 255.255.255.255 inside
pdm location GOOFY 255.255.255.255 inside
pdm location ASUS-WL 255.255.255.255 inside
pdm location DELL1700N 255.255.255.255 inside
pdm location ArnhemNet 255.255.255.0 inside
pdm location mjmstudio.nl 255.255.255.255 outside
pdm location ..38.0 255.255.255.0 outside
pdm location 192.168.19.128 255.255.255.248 outside
pdm location 192.168.199.0 255.255.255.128 outside
pdm location 0.0.0.60 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 ZAXXON 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data GOOFY ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp GOOFY ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www ZAXXON www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 ZAXXON 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp ZAXXON smtp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 mjmstudio.nl 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:00:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http ArnhemNet 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside ZAXXON D:\Cisco
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map_1 interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mjmstudio address-pool vpnpool
vpngroup mjmstudio dns-server ZAXXON 212.142.28.66
vpngroup mjmstudio wins-server ZAXXON
vpngroup mjmstudio default-domain mjmstudio.nl
vpngroup mjmstudio split-tunnel mjmstudio_splitTunnelAcl
vpngroup mjmstudio idle-time 1800
vpngroup mjmstudio password ******
telnet ..38.0 255.255.255.0 outside
telnet ArnhemNet 255.255.255.0 inside
telnet 0.0.0.60 255.255.255.255 inside
telnet timeout 60
ssh ..*.0 255.255.255.0 outside
ssh ..38.0 255.255.255.0 outside
ssh 0.0.0.60 255.255.255.255 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.19.90-192.168.19.99 inside
dhcpd dns ZAXXON
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain mjmstudio.nl
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:ebb46f2805a13389f0c8574b34c3e137
MJMSTUDIO-ARNHEM#

Answer : Vpn tunnel with VPN client works fine, but no internet access anymore

* You have access-list 101 as both your NAT0 and your inbound filter. That's not going to work at all.

* The line "nat (inside) 0 access-list 101" says what not to NAT and has to be a host- or network-based ACl. You can't say to permit TCP/80...it has to be all IP from host to host.

Try this:

access-list 102 permit ip 192.168.19.0 255.255.255.0 10.1.2.0 255.255.255.0

nat (inside) 0 access-list 102

* You've also got an IP pool that's not a subnet boundary which may cause problems in the future. Not a big deal, but just remember that 10.1.2.26-255 aren't really usable in this setup.

Let's try that and see what happens.

Random Solutions

Excel 2000 spreadsheets from Windows Explorer won't open unless I already have an Excel document open.

Remote Desktop after installing XP SP3 Error

PowerShell and .NET - Calling Methods

Windows installer when trying to open word

Converting Powerpoint animation to GIf

Other Languages / Arabic support for Windows Mobile

Set Up For Ghost Casting

CGI Mailer script

Database is locked

Outlook Web Access 2003-Inbox problem/ Invalid procedure call or argument