We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


cisco pix vpn setup

Medium Priority
Last Modified: 2012-08-13
I just created the following config on our pix 515 for vpn connections, I get connected using the cisco vpn client v4.0.4
but I cannot ping any hosts via ip address. Can someone point me in the right direction. I'm sure someone out there has ran into this if you need the rest of the config let me know. thanks

ip local pool vpn_client
access-list no_nat_vpn permit ip any
nat(inside)0 access-list no_nat_vpn

isakmp policy 10 authentication pre-share
isakmp policy 10 encrypton des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address

sysopt connection permit-ipsec
access-list cryptomap_acl permit ip any

crypto ipsec transform-set vpnClient esp-des esp-md5-hmac
crypto dynamic-map dyn_map 10 set transform-set vpnClient
crypto map vpn_map 10 ipsec-isakmp dynamic dyn_map
crypto dynamic-map dyn_map 10 match address cryptomap_acl
crypto map vpn_map interface outside

vpngroup remote_group address-pool vpn_client
vpngroup remote_group dns-server
vpngroup remote_group default-domain company.com
vpngroup remote_group idle-time 3600
vpngroup remote_group password #######

vpngroup remote_group split-tunnel no_nat_vpn
Watch Question

>vpngroup remote_group dns-server
  This seems to indicate that your LAN behind the PIX is 192.168.1.x, is this correct?  If so, you're hitting a routing loop.  Cisco, unlike other VPN implementations, requires the VPN client pool to be *different* than the inside LAN(s) behind your PIX, & it *must* be different than the LAN in which the remote client resides.

  Run in this order:
clear crypto ipsec sa
clear crypto isakmp sa
no crypto map vpn_map interface outside
no vpngroup remote_group address-pool vpn_client
no ip local pool vpn_client
ip local pool vpn_client
access-list no_nat_vpn permit ip
access-list split_acl permit ip
no access-list no_nat_vpn permit ip any
no crypto dynamic-map dyn_map 10 match address cryptomap_acl
no access-list cryptomap_acl
vpngroup remote_group address-pool vpn_client
vpngroup remote_group split-tunnel split_acl
crypto map vpn_map interface outside
isakmp nat-traversal  <-- if PIX is 6.3 series, run this
clear xlate

Notes: Yes, you need 2 identical ACLs, 1 for 'nat 0' & 1 for split-tunneling. ACLs used for VPN must be specific - don't use "permit ip any".  Beware that 192.168.1.x is one of the world's most common subnets for SOHO networks, so you'll end up either forcing VPN users to change their home LAN's IP scheme, or changing the IP scheme behind the PIX.
  If at all possible, upgrade the VPN client(s) to 4.8 series; v4.0.4 shouldn't be used if the clients are XP SP2.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Gary CutriData & Communications Specialist

I wouldn't recommend configuring split-tunneling as it's a potential security risk.  For example, the VPN client machine might be a Windows XP machine on a home LAN or hotel LAN and has a single Ethernet adapter installed in it. The Windows XP machine has a valid address on that network and connects to the corporate network through the VPN connectoid in the Network Connections window. At this point, any host that sets its default gateway to the IP address of the Windows XP computer can now access the corporate network resources.
Agree with you garycutri on the security risks of split-tunneling.  But the reality is, most users get irate when they can't surf the web or check personal email while connected to VPN.
  rxn6057: all you can do is warn management of the risks, & let them decide. Which they'll no doubt decide "Do it anyway".

cheers all

you need to add a rule to the firewall that lets the VPN IP address pool send and recieve echo and echo-reply packets to what ever IP address you want to ping.
ngravatt: Actually no.  The "permit ip..." statements in the ACLs are also allowing ICMP traffic.  I've deployed many PIX VPNs like this - it works.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.