Another PIX problem

Posted on 2003-02-25
Medium Priority
Last Modified: 2010-03-19
I am having a nightmare with this issue.

Clients running Cisco VPN Client Version 3 are having problem with IP connectivity once a Tunnel is established. I have checked the routes and they seems o.k

That leaves ACLs, but I have the sysopt coonection permit ipsec command on the PIX. This command is supposed to allow IPSEC traffic to bypass ACL right??

I try to replicate the issue on my network. VPN client connects, but no IP connectivity but when I used the new sysopt ipsec pl-compatible, IP connectivity was o.k suggestion again that at least on my network routing is fine.

VPN connection + IP connectivity should work without this sexy command. Sysopt ipsec pl-compatible. I dont want to deploy this command on customers network because I bypass PIX ASA etc.

Everyone, any suggestion.

Frustrated Chrisi
Question by:chrisi_uk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
LVL 79

Expert Comment

ID: 8016330
What version PIX OS? 6.x?
Yes, sysopt permit ipsec bypasses acls, but not nat. sysopt pl-compatible bypasses nat and ASA
To get around it, you need to use a nat 0 setup, example:

inside LAN =
VPN IPpool =

access-list no_nat permit ip
nat (inside)0 access-list no_nat


Author Comment

ID: 8017769
Thanks Irmoore,

I am using ver 6.1 (2) and I already have the nat ) implemented. Below is my config: Saved
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list dmzinbound permit icmp any host
access-list dmzinbound permit tcp any host
access-list dmzinbound permit udp any host
access-list nonat permit ip
access-list inbound permit ip host host
access-list inbound permit tcp host host eq 3389
pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
interface ethernet2 10full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside
ip address inside
ip address dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
failover ip address dmz
pdm history enable
arp timeout 14400
global (outside) 1
global (outside) 2
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
nat (dmz) 2 0 0
static (dmz,outside) netmask 0 0
static (inside,outside) netmask 0 0
access-group dmzinbound in interface dmz
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInBound protocol tacacs+
aaa-server AuthInBound (inside) host cisco timeout 10
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map mymap 20 set transform-set myset
crypto map chris 20 ipsec-isakmp dynamic mymap
crypto map chris client configuration address initiate
crypto map chris client configuration address respond
crypto map chris interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3 address-pool ippool
vpngroup vpn3 idle-time 1800
vpngroup vpn3 password ********
telnet timeout 5
ssh timeout 5
terminal width 80
: end

LVL 79

Accepted Solution

lrmoore earned 800 total points
ID: 8018206
>ip address dmz

I hope you don't have anything connected to this interface..

>access-list nonat permit ip

Part of the problem may be that your IPPOOL for VPN is a subset of the local LAN includes addresses through and could be why you have routing issues, but not a problem establishing the connection.
I like to setup the VPN ippool as a totally separate subnet, say That way, the no_nat acl makes sense
Also, the VPN client's local LAN interface cannot be on the same network.

I also don't see this command in your config. It is mandatory:

sysopt connection permit-ipsec


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 79

Expert Comment

ID: 8035168
How's it going, Chris, any luck?

Expert Comment

ID: 9153397
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.
LVL 79

Expert Comment

ID: 9162802
RECOMMENDATION: Points awarded to: lrmoore

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question