Cisco VPN Client connecting to PIX 515 but no network access?

Posted on 2003-03-02
Medium Priority
Last Modified: 2008-05-15
How can I configure my PIX firewall to correctly accept Cisco VPN Client 3.x connections?
I have no problem authenticating and establishing a tunnel from the VPNclient to the PIX but after that, I cannot ping anything from the client PC or access any network web sites.

I have been experimenting with the PIX configs and trying to follow cisco config examples but have not been able to ping a single host on the network behind the pix.   Currently the IP given to VPN clients is in the same subnet as the pix firewall and the hosts behind the firewall...my 202... subnet.  I have also tried using 10.x.x.x subnets but these did not work either.  

I also have not been able to access any LAN resources from the VPN client. Even though Allow lan access is checked on the client, it shows up as "inactive" in the tunnel.  

Shouldnt I even be able to ping the PIX itself after establishing a tunnel?

Running Pix  version 6.22  and using the latest version of VPNClient from Cisco.

Question by:japandan
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 79

Expert Comment

ID: 8052559
Do you have a no_nat (nat zero) acl?

I always use a separate  IP subnet for the vpn users.

Here's a snippit of my working config:

access-list NO_NAT permit ip

ip local pool VPNPool

nat (inside) 0 access-list NO_NAT

vpngroup GROUP address-pool VPNPool

You can't ping the inside interface of the PIX, even with the VPN open. you can only ping a host on the inside.


Author Comment

ID: 8054416
I have tried it with the No_nat ACL, one that I PDM generated.  My latest config was also generated by PDM VPN Wizard but since the subnet is the same as the server subnet, there is no NO_NAT.

I will try it again as you suggested using a 10.xxx for my VPN clients.  

When I configure using the VPN wizard, it asks if I want the clients to connect to the outside or inside interface.
I select outside but the servers are on the inside. Is this correct?  It didnt even let me establish a tunnel when I tried "inside".

Here are my relevant configs..

#The inside202 range contains my servers
#The pix internal IP is also in the inside202 subnet
access-list NO_NAT permit ip inside202 vpnclients
#PDM added the one below..
access-list NO_NAT permit ip any vpnclients
access-list outside_cryptomap_dyn_40 permit ip any vpnclients

nat (inside) 0 access-list NO_NAT

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
# The PDM likes to put this match address in but I don't
# know why. Its working now, but sometimes I cannot get
# a tunnel when it is there.
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
#There is no initiate/respond in here but I may put it in
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn address-pool VPNPOOL
vpngroup vpn dns-server dns
vpngroup vpn wins-server printers
vpngroup vpn default-domain mydomain.edu
vpngroup vpn idle-time 1800
vpngroup vpn password ********
LVL 79

Expert Comment

ID: 8054456
Yes, connect to outside interface, it's the only one with public ip

Keep this line, but you could change it a bit
access-list outside_cryptomap_dyn_40 permit ip any vpnclients
access-list outside_cryptomap_dyn_40 permit ip inside202 vpnclients
## you have different masks on vpnclients here. Make sure it is correct and is the same as the no_nat acl

and this one.
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 8065645
still no luck.  When the VPNclients are authenticated from the outside interface, are they outside the pix or inside?  That is, do I have to define route statements or access lists so they can have access to servers inside?

I cannot ping any server outside or inside the pix.  When a vpn client comes in with one of these 10.xxx addresses, how can a pix route them since the subnet is different?

LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 8065885
What is the default gateway ip for your inside sytems? If it is not the inside interface of the PIX, if it is another router, then that router needs to have a static route entry to point traffic to the 10.xxx vpn clients over to the inside ip of the pix.


Author Comment

ID: 8072061
I was able to get it working finally on both of my pixs.
I am not sure what finally clicked.  I did need the NO_NAT as you suggested.  

In one case the gateway IP was the pix so that was easiest.  

I am still curious as to why my IP does not change when I try checking it on web servers behind the firewall.  Though I can ping from the servers to my virtual IP.
Also, I thought traceroutes would appear to work from inside the pix outward.  Guess I will play some more.

Wondering too how to send a notification message to the VPN client from the pix.

Thank You for your help!


Author Comment

ID: 8072075
The dynamic list should have a value of 40.
Ensure the NO_NAT statement is there.
The clients are actually outside the firewall even though they have virtual 10.x.x.x IPs.

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question