PIX 515 Multi-Tunnel

Hello everyone!

I have a PIX 515 wich is currently connected to a SonicWall TZ-170. This is working fabulous! I'm trying to add support for the Cisco VPN Client 4.01 into the PIX configuration without disrupting anything related to the SonicWall...

So far everything seems ok except I can't pass traffic to the LAN from the Client software. The client shows packets are sent but none are ever recieved. It connects but nada... I've tried every possible acl combo I can think of and i'm stuck...

Here's the configs! Thanks so much!

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_access_in permit ip any any
access-list outside_access_in deny ip any any
access-list pixtosw permit ip
access-list pixtosw permit ip
access-list VPN_splitTunnelAcl permit ip any
pager lines 24
logging console informational
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool Libra-VPN
pdm location inside
pdm location inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list pixtosw
nat (inside) 1 0 0
static (inside,outside) tcp interface telnet telnet netmask 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set strongsha
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer
crypto map tosonicwall 20 set transform-set strongsha
crypto map tosonicwall 30 ipsec-isakmp dynamic dynmap
crypto map tosonicwall interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup Libra address-pool Libra-VPN
vpngroup Libra dns-server
vpngroup Libra split-tunnel VPN_splitTunnelAcl
vpngroup Libra idle-time 1800
vpngroup Libra password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username pcsadmin password *********
vpdn username shreveport password *********
terminal width 80
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I can't see anything wrony myself either. Have you tried a reboot to refresh the VPN?

If you add the following line and some username/password pairs you can have the VPN client prompt for a individuals username when they connect.
crypto map tosonicwall client authentication partnerauth

The two 'vpdn' lines you have are used for the PPTP VPN type so I assume you dont want them in there as there is no other PPTP configuration.
Remove this:
 access-group inside_access_in in interface inside

Since your acl says "permit ip any any" it is not necessary because this is the default behavior

Change this:
  access-list VPN_splitTunnelAcl permit ip any

To this:
  access-list VPN_splitTunnelAcl permit ip

Did you re-apply the crypto map to the interface after adding the dynamic entry?

Just enter this same command again..
  crypto map tosonicwall interface outside
The other issue is that you have both remote subnets in the pixtosw acl, that is applied to both the nat_0 and to the crypto map match statements. The crypto map is trying to send packets destined to the VPN client to the remote sw peer...

>access-list pixtosw permit ip
>access-list pixtosw permit ip

no access-list pixtosw permit ip

access-list nat_zero permit ip
access-list nat_zero permit ip
nat (inside) 0 access-list nat_zero
crypto map tosonicwall 20 match address pixtosw

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bwoodleyAuthor Commented:
That was exactly it... All so simple now... Thanks for your eyes!

I'll just remember in the future to keep my ACL's as granular as possible!

Thanks Again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.