cisco pix vpn setup

I just created the following config on our pix 515 for vpn connections, I get connected using the cisco vpn client v4.0.4
but I cannot ping any hosts via ip address. Can someone point me in the right direction. I'm sure someone out there has ran into this if you need the rest of the config let me know. thanks

ip local pool vpn_client
access-list no_nat_vpn permit ip any
nat(inside)0 access-list no_nat_vpn

isakmp policy 10 authentication pre-share
isakmp policy 10 encrypton des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address

sysopt connection permit-ipsec
access-list cryptomap_acl permit ip any

crypto ipsec transform-set vpnClient esp-des esp-md5-hmac
crypto dynamic-map dyn_map 10 set transform-set vpnClient
crypto map vpn_map 10 ipsec-isakmp dynamic dyn_map
crypto dynamic-map dyn_map 10 match address cryptomap_acl
crypto map vpn_map interface outside

vpngroup remote_group address-pool vpn_client
vpngroup remote_group dns-server
vpngroup remote_group default-domain
vpngroup remote_group idle-time 3600
vpngroup remote_group password #######

vpngroup remote_group split-tunnel no_nat_vpn
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

>vpngroup remote_group dns-server
  This seems to indicate that your LAN behind the PIX is 192.168.1.x, is this correct?  If so, you're hitting a routing loop.  Cisco, unlike other VPN implementations, requires the VPN client pool to be *different* than the inside LAN(s) behind your PIX, & it *must* be different than the LAN in which the remote client resides.

  Run in this order:
clear crypto ipsec sa
clear crypto isakmp sa
no crypto map vpn_map interface outside
no vpngroup remote_group address-pool vpn_client
no ip local pool vpn_client
ip local pool vpn_client
access-list no_nat_vpn permit ip
access-list split_acl permit ip
no access-list no_nat_vpn permit ip any
no crypto dynamic-map dyn_map 10 match address cryptomap_acl
no access-list cryptomap_acl
vpngroup remote_group address-pool vpn_client
vpngroup remote_group split-tunnel split_acl
crypto map vpn_map interface outside
isakmp nat-traversal  <-- if PIX is 6.3 series, run this
clear xlate

Notes: Yes, you need 2 identical ACLs, 1 for 'nat 0' & 1 for split-tunneling. ACLs used for VPN must be specific - don't use "permit ip any".  Beware that 192.168.1.x is one of the world's most common subnets for SOHO networks, so you'll end up either forcing VPN users to change their home LAN's IP scheme, or changing the IP scheme behind the PIX.
  If at all possible, upgrade the VPN client(s) to 4.8 series; v4.0.4 shouldn't be used if the clients are XP SP2.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gary CutriData & Communications SpecialistCommented:
I wouldn't recommend configuring split-tunneling as it's a potential security risk.  For example, the VPN client machine might be a Windows XP machine on a home LAN or hotel LAN and has a single Ethernet adapter installed in it. The Windows XP machine has a valid address on that network and connects to the corporate network through the VPN connectoid in the Network Connections window. At this point, any host that sets its default gateway to the IP address of the Windows XP computer can now access the corporate network resources.
Agree with you garycutri on the security risks of split-tunneling.  But the reality is, most users get irate when they can't surf the web or check personal email while connected to VPN.
  rxn6057: all you can do is warn management of the risks, & let them decide. Which they'll no doubt decide "Do it anyway".

cheers all
you need to add a rule to the firewall that lets the VPN IP address pool send and recieve echo and echo-reply packets to what ever IP address you want to ping.
ngravatt: Actually no.  The "permit ip..." statements in the ACLs are also allowing ICMP traffic.  I've deployed many PIX VPNs like this - it works.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.