PIX 501 - VPN Connection Fails, no entries in logs when VPN connection is attempted

Hi.  I've have done a quick search before posting but can't find any posts with a similar problem.  I have a PIX 501 connected to a Cisco 837 Router.  I've configured the PIX as per the config below to allow remote users to VPN into the network (Cisco 837 Config also below).  Currently the firewall is using PAT with all clients behind one IP address, and in terms of normal connectivity all internal clients can acess the internet as required.  When I test a VPN connection from outside our network to the PIX, the client appears to be trying to connect, but there are no entries in the PIX logs to show a client attempting to connect, or failing to connect.  Eventually the client times-out and displays an error that the PIX isn't responding.  I thought the 837 router may have been blocking the connection, but as with the PIX, there are no log entries showing the VPN connection being bloacked.  The 837 is configured to block illegal internet addresses, and restrict unwanted ICMP but no other filtering takes place at the router.

Can anyone suggest what I'm doing wrong ?  Have I mis-configured the PIX ?

Network Details
837 Router IP: 217.xxx.xxx.65
PIX External IP: 217.xxx.xxx.72
PIX Intenal IP :
Internal Clients:
VPN Clients:
VPN Settings: AES 256 with SHA and DH Group 5

Cisco VPN Client Version 4.0.1

Thanks for any help,

: Saved
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

enable password [password] encrypted
passwd [encrypted] encrypted
hostname pixfirewall

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

access-list inside_outbound_nat0_acl permit ip

pager lines 24
logging on
logging trap informational
logging host inside 6/1468
mtu outside 1500
mtu inside 1500

ip address outside 217.xxx.xxx.72
ip address inside

ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1
pdm history enable
arp timeout 14400

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
global (outside) 1 interface

route outside 217.xxx.xxx.65 1
route inside 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

no http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set ESP-AES-256-SHA
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside

isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400

vpngroup test address-pool vpnpool1
vpngroup test dns-server
vpngroup test wins-server
vpngroup test split-tunnel inside_outbound_nat0_acl
vpngroup test idle-time 1800
vpngroup test password [password]

telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
terminal width 80

banner login Access to this device is only permitted by authorised users.
banner login All Access to this device is logged and monitored.
: end

CIsco 837 Router Configuration:
version 12.3
! IP and network services section
! Default Disabled Services, still disabled
no service config
no service tcp-small-servers
no service udp-small-servers
no boot network
! Default Enabled Services, now disabled
no cdp run
no ip bootp server
no ip domain lookup
no ip finger
no service finger
no ip http server
no ip http secure-server
no ip source-route
no service pad
! Default Disabled Services, now enabled
ip cef
! Service Configurations
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
enable secret 5 [password]
ip subnet-zero
! SNMP Section - SNMP Disabled
no snmp-server community public RO
no snmp-server community admin RW
no snmp-server enable traps
no snmp-server system-shutdown
no snmp-server trap-auth
no snmp-server
hostname R1
! Logging Options
logging trap information
logging xxx.xxx.xxx.xxx
logging facility local0
logging source-interface Ethernet0
logging source-interface Dialer0
! Console
no logging console
! AAA Settings
aaa new-model
username [username] password 7 [password]
ip ssh time-out 60
ip ssh authentication-retries 2
! Access Lists
! SSH Access List
access-list 50 permit xxx.xxx.xxx.xxx
access-list 50 deny any log
! Internet-In Access List (Dialer0 In)
ip access-list extended Internet-in
 ! Host Local Loop Back Address
  deny   ip   any log
 ! Land Attack Protection
  deny   ip    host 217.xxx.xxx.65 host 217.xxx.xxx.65  log
 ! RFC-1918 Private Network Addresses
 ! AND IP Address Spoof Protection - deny internal addresses
  deny   ip     any log
  deny   ip    any log
  deny   ip   any log
  deny   ip   any log
 ! Documentation/Test Network
  deny   ip       any log
 ! DHCP Local Link Address
  deny   ip   any log
 ! IP Multicast Address Range
  deny   ip  any log
 ! Smurf Attack Protection
  deny   ip    any  host 217.xxx.241.64      log
  deny   ip    any  host 217.xxx.241.79      log
  deny   ip    host      any log
 ! ICMP Types and Traceroute
  permit icmp  any 217.xxx.xxx.65 echo-reply  
  permit icmp  any 217.xxx.xxx.65 ttl-exceeded
  permit icmp  any 217.xxx.xxx.65 net-unreachable
  permit icmp  any 217.xxx.xxx.65 host-unreachable
  permit icmp  any 217.xxx.xxx.65 port-unreachable
  permit icmp  any 217.xxx.xxx.65 packet-too-big
  permit icmp  any 217.xxx.xxx.65 administratively-prohibited
  permit icmp  any 217.xxx.xxx.65 source-quench
  deny   icmp  any                       any log
 ! Allow ANY Remaining Data to Allocated Subnet
  permit ip    any 217.xxx.xxx.64
 ! Deny ANY Remaining Data
  deny   ip  any                         any log
  deny   tcp any                         any log
  deny   udp any                         any log
! Internet-Out Access List (Ethernet0 In)
ip access-list extended Ethernet-in
  ! Deny illegal, unused, reserved, DHCP Local Link destination IP addresses
   deny   ip  any   log
   deny   ip  any   log
   deny   ip  any   log
   deny   ip  any    log
   deny   ip  any     log
   deny   ip  any  log
   deny   ip  any     log
  ! Allow All Outgoing Data from Allocated Subnet
   permit ip   217.xxx.xxx.64    any
  ! Deny Any Remaining Data
   deny   ip    any                       any log
!Router Interfaces
interface ATM0
 description ADSL Service
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 no ip proxy-arp
 no ip redirect
 no ip unreachables
 no atm auto-configuration
 no atm ilmi-keepalive
 no atm address-registration
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 dsl operating-mode auto
interface Dialer0
 description ADSL Service
 ip unnumbered Ethernet0
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname [username]@[isp].co.uk
 ppp chap password 7 [password]
 no cdp enable
 no ip directed-broadcast
 no ip mask-reply
 no ip mroute-cache
 no ip proxy-arp
 no ip redirect
 no ip unreachables
 !  Applied Access List(s)
 ip access-group Internet-in in
ip route Dialer0
interface Ethernet0
 ip address 217.xxx.xxx.65
 no cdp enable
 no ip directed-broadcast
 no ip mask-reply
 no ip mroute-cache
 no ip proxy-arp
 no ip redirect
 no ip unreachables
 !  Applied Access List(s)
 ip access-group Ethernet-in in
interface loopback0
 description Loopback interface for service bindings
 no ip proxy-arp
 no ip directed-broadcast
 no ip unreachable
 no ip redirect
! Serial Port
line con 0
 password 7 [password]
 no modem enable
 transport preferred all
 transport output all
 stopbits 1
! Aux Port Access
line aux 0
 exec-timeout 0 1
 no exec
 transport input none
! SSH/Telnet Access
line vty 0 4
! ip access-group RouterSSH-in in
! access-class 105 in
 access-class 50 in
 transport input ssh
Who is Participating?
lrmooreConnect With a Mentor Commented:
I don't see a line like this in your PIX:
  access-list outside_cryptomap_dyn_10 permit ip
  crypto dynamic-map map2 10 match address outside_cryptomap_dyn_10

Even though this requires the exact same access-list, it is suggested that you use two different acls:
>vpngroup test split-tunnel inside_outbound_nat0_acl

Instead, use:
access-list split-tunnel-acl permit ip any
  or, if you want to restrict split-tunneling:
access-list split-tunnel-acl permit ip
vpngroup test split-tunnel split-tunnel-acl

You see three separate instances of acl reference, all with identical acls, but you need to create three separate acls, not reference the same one multiple times.
  nat 0 acl
  split-tunnel acl
  dynamic tunnel map match acl

If you still can't get it to work, remove the acls from the router interfaces while you are troubleshooting.
_Stu_Author Commented:
Hi lrnoore.  Thanks for the quick reply.  So just to check, I need to add the following entries :

  access-list outside_cryptomap_dyn_10 permit ip
  crypto dynamic-map map2 10 match address outside_cryptomap_dyn_10

  access-list split-tunnel-acl permit ip
  vpngroup test split-tunnel split-tunnel-acl

With the existing entry of :

  access-list inside_outbound_nat0_acl permit ip
  nat (inside) 0 access-list inside_outbound_nat0_acl

If you don't mind me asking, could you explain why the second crypto dynamic command is required and what it does compared with the  ?

Also, I don't want to allow split-tunneling for any VPN client because they will already be connecting in from the internet.  The ACL you've suggested for split-tunelling, does that only allow access to the internet network ?

Sorry for the questions, I'm still not 100% up on Cisco commands, but getting there :)  I followed the instructions on the Cisco site on the link below, which is why I'm confused about the problems :


Thanks again,
Sorry for the extended delay in answering..
These two lines don't show up in the example in that link, but I took them from my (working) config. The VPN Wizard apparently created them:
>  access-list outside_cryptomap_dyn_10 permit ip
>  crypto dynamic-map map2 10 match address outside_cryptomap_dyn_10

I know the link shows using the same acl for both the nat 0 and the split-tunnel, but there are several cases where this has shown to cause problems. The convention is to use independent acls for different processes..

If you do not want to permit split-tunneling while clients are connected (most secure, but clients hate it), then simply leave off the split-tunnel command, and the related acls:
   no vpngroup test split-tunnel split-tunnel-acl

Are you still working on this? Do you need more information?
Can you close out this question?
How's it going? Have you found a solution? Do you need more information?
Can you close this question?


Thanks for attending to this long-forgotten question.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.