• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 247
  • Last Modified:

Another PIX problem

I am having a nightmare with this issue.

Clients running Cisco VPN Client Version 3 are having problem with IP connectivity once a Tunnel is established. I have checked the routes and they seems o.k

That leaves ACLs, but I have the sysopt coonection permit ipsec command on the PIX. This command is supposed to allow IPSEC traffic to bypass ACL right??

I try to replicate the issue on my network. VPN client connects, but no IP connectivity but when I used the new sysopt ipsec pl-compatible, IP connectivity was o.k suggestion again that at least on my network routing is fine.

VPN connection + IP connectivity should work without this sexy command. Sysopt ipsec pl-compatible. I dont want to deploy this command on customers network because I bypass PIX ASA etc.

Everyone, any suggestion.

Frustrated Chrisi
  • 4
1 Solution
What version PIX OS? 6.x?
Yes, sysopt permit ipsec bypasses acls, but not nat. sysopt pl-compatible bypasses nat and ASA
To get around it, you need to use a nat 0 setup, example:

inside LAN =
VPN IPpool =

access-list no_nat permit ip
nat (inside)0 access-list no_nat

chrisi_ukAuthor Commented:
Thanks Irmoore,

I am using ver 6.1 (2) and I already have the nat ) implemented. Below is my config: Saved
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list dmzinbound permit icmp any host
access-list dmzinbound permit tcp any host
access-list dmzinbound permit udp any host
access-list nonat permit ip
access-list inbound permit ip host host
access-list inbound permit tcp host host eq 3389
pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
interface ethernet2 10full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside
ip address inside
ip address dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
failover ip address dmz
pdm history enable
arp timeout 14400
global (outside) 1
global (outside) 2
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
nat (dmz) 2 0 0
static (dmz,outside) netmask 0 0
static (inside,outside) netmask 0 0
access-group dmzinbound in interface dmz
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInBound protocol tacacs+
aaa-server AuthInBound (inside) host cisco timeout 10
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map mymap 20 set transform-set myset
crypto map chris 20 ipsec-isakmp dynamic mymap
crypto map chris client configuration address initiate
crypto map chris client configuration address respond
crypto map chris interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3 address-pool ippool
vpngroup vpn3 idle-time 1800
vpngroup vpn3 password ********
telnet timeout 5
ssh timeout 5
terminal width 80
: end

>ip address dmz

I hope you don't have anything connected to this interface..

>access-list nonat permit ip

Part of the problem may be that your IPPOOL for VPN is a subset of the local LAN includes addresses through and could be why you have routing issues, but not a problem establishing the connection.
I like to setup the VPN ippool as a totally separate subnet, say That way, the no_nat acl makes sense
Also, the VPN client's local LAN interface cannot be on the same network.

I also don't see this command in your config. It is mandatory:

sysopt connection permit-ipsec

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

How's it going, Chris, any luck?
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.
RECOMMENDATION: Points awarded to: lrmoore

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now