Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Cisco VPN Client connecting to PIX 515 but no network access?

Posted on 2003-03-02
Medium Priority
Last Modified: 2008-05-15
How can I configure my PIX firewall to correctly accept Cisco VPN Client 3.x connections?
I have no problem authenticating and establishing a tunnel from the VPNclient to the PIX but after that, I cannot ping anything from the client PC or access any network web sites.

I have been experimenting with the PIX configs and trying to follow cisco config examples but have not been able to ping a single host on the network behind the pix.   Currently the IP given to VPN clients is in the same subnet as the pix firewall and the hosts behind the firewall...my 202... subnet.  I have also tried using 10.x.x.x subnets but these did not work either.  

I also have not been able to access any LAN resources from the VPN client. Even though Allow lan access is checked on the client, it shows up as "inactive" in the tunnel.  

Shouldnt I even be able to ping the PIX itself after establishing a tunnel?

Running Pix  version 6.22  and using the latest version of VPNClient from Cisco.

Question by:japandan
  • 4
  • 3
LVL 79

Expert Comment

ID: 8052559
Do you have a no_nat (nat zero) acl?

I always use a separate  IP subnet for the vpn users.

Here's a snippit of my working config:

access-list NO_NAT permit ip

ip local pool VPNPool

nat (inside) 0 access-list NO_NAT

vpngroup GROUP address-pool VPNPool

You can't ping the inside interface of the PIX, even with the VPN open. you can only ping a host on the inside.


Author Comment

ID: 8054416
I have tried it with the No_nat ACL, one that I PDM generated.  My latest config was also generated by PDM VPN Wizard but since the subnet is the same as the server subnet, there is no NO_NAT.

I will try it again as you suggested using a 10.xxx for my VPN clients.  

When I configure using the VPN wizard, it asks if I want the clients to connect to the outside or inside interface.
I select outside but the servers are on the inside. Is this correct?  It didnt even let me establish a tunnel when I tried "inside".

Here are my relevant configs..

#The inside202 range contains my servers
#The pix internal IP is also in the inside202 subnet
access-list NO_NAT permit ip inside202 vpnclients
#PDM added the one below..
access-list NO_NAT permit ip any vpnclients
access-list outside_cryptomap_dyn_40 permit ip any vpnclients

nat (inside) 0 access-list NO_NAT

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
# The PDM likes to put this match address in but I don't
# know why. Its working now, but sometimes I cannot get
# a tunnel when it is there.
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
#There is no initiate/respond in here but I may put it in
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn address-pool VPNPOOL
vpngroup vpn dns-server dns
vpngroup vpn wins-server printers
vpngroup vpn default-domain mydomain.edu
vpngroup vpn idle-time 1800
vpngroup vpn password ********
LVL 79

Expert Comment

ID: 8054456
Yes, connect to outside interface, it's the only one with public ip

Keep this line, but you could change it a bit
access-list outside_cryptomap_dyn_40 permit ip any vpnclients
access-list outside_cryptomap_dyn_40 permit ip inside202 vpnclients
## you have different masks on vpnclients here. Make sure it is correct and is the same as the no_nat acl

and this one.
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!


Author Comment

ID: 8065645
still no luck.  When the VPNclients are authenticated from the outside interface, are they outside the pix or inside?  That is, do I have to define route statements or access lists so they can have access to servers inside?

I cannot ping any server outside or inside the pix.  When a vpn client comes in with one of these 10.xxx addresses, how can a pix route them since the subnet is different?

LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 8065885
What is the default gateway ip for your inside sytems? If it is not the inside interface of the PIX, if it is another router, then that router needs to have a static route entry to point traffic to the 10.xxx vpn clients over to the inside ip of the pix.


Author Comment

ID: 8072061
I was able to get it working finally on both of my pixs.
I am not sure what finally clicked.  I did need the NO_NAT as you suggested.  

In one case the gateway IP was the pix so that was easiest.  

I am still curious as to why my IP does not change when I try checking it on web servers behind the firewall.  Though I can ping from the servers to my virtual IP.
Also, I thought traceroutes would appear to work from inside the pix outward.  Guess I will play some more.

Wondering too how to send a notification message to the VPN client from the pix.

Thank You for your help!


Author Comment

ID: 8072075
The dynamic list should have a value of 40.
Ensure the NO_NAT statement is there.
The clients are actually outside the firewall even though they have virtual 10.x.x.x IPs.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question