Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Client vpn help (along with existing pix-pix vpn)

Posted on 2006-05-08
Medium Priority
Last Modified: 2013-11-16
I am currently trying to configure a VPN client so that it can connect from the outside into my local lan.

Again, the configuration is setup as such:
VPN client -> Pix -> rtr -> local lan

At the moment, I have a PIX - > PIX PTP vpn configured and running.

I can connect my vpn client from the outside with no problems.

I can ping the "outside" interface of the router ( but if I try to ping something on my local lan (192.168.0.x) from my VPN'd client nothing seems to pass through. My first thought was that it is a natting issue on the router but I cant seem to get it to work.

From my local lan I can ping the VPN'd client.

Below are my configs:

hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

!Used for Pix-pix vpn - this is functioning fine.
access-list 199 permit ip
access-list 199 permit ip
access-list 199 permit ip
access-list 199 permit udp any any eq isakmp
access-list 199 permit esp any any
access-list 199 permit ah any any
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any unreachable
access-list 199 permit tcp any any eq www
access-list 199 permit gre host host

!This is the ip pool for my vpn clients
access-list 199 permit ip any
access-list 199 permit udp any
access-list 199 permit tcp any
access-list 102 permit gre host host
access-list 102 permit ip
access-list 102 permit ip
access-list 102 permit ip

!No Nat for VPN
access-list 101 permit gre host host
access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip

pager lines 24
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 10full shutdown
interface ethernet5 10full shutdown
mtu outside 1500
mtu inside 1500
mtu local 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 66.9.177.xxx

!This is the range of my local private subnet
ip address inside

!this is the range for my router subnet
ip address local
ip address intf3
ip address intf4
ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
failover ip address local
failover ip address intf3
failover ip address intf4
failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
nat (local) 0 access-list 101
nat (local) 1 0 0
static (inside,outside) netmask 0 0
access-group 199 in interface outside
route outside 66.9.177.xxx 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
snmp-server host inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set cmeset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set cmeset
crypto map cmevpn 10 ipsec-isakmp dynamic dynmap
crypto map cmevpn 20 ipsec-isakmp
crypto map cmevpn 20 match address 102
crypto map cmevpn 20 set peer
crypto map cmevpn 20 set transform-set cmeset
crypto map cmevpn interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash md5
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server
vpngroup vpn3000 wins-server
vpngroup vpn3000 default-domain xxx.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet inside
telnet timeout 60


Building configuration...

Current configuration : 3133 bytes
! Last configuration change at 09:53:38 CDT Mon May 8 2006
! NVRAM config last updated at 09:41:44 CDT Mon May 8 2006
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
hostname rhoroutervpn
boot system flash
logging buffered 8192 debugging
no logging console

clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
ip multicast-routing
ip cef
isdn switch-type basic-ni
call rsvp-sync
interface Loopback0
ip address
interface Tunnel0
ip address
ip pim sparse-mode
tunnel source
tunnel destination
interface FastEthernet0/0
description connection to local LAN
ip address
no ip redirects
ip nat inside
ip route-cache flow
speed 100
interface FastEthernet0/1
description connection to Intellispace router
ip address
no ip redirects
ip accounting output-packets
ip nat outside
ip pim sparse-mode
ip route-cache flow
load-interval 30
speed 100

ip nat inside source route-map route101 interface FastEthernet0/1 overload
ip classless
ip route
ip route Tunnel0
ip flow-export version 5
ip flow-export destination 9996
no ip http server
ip pim rp-address
ip mroute Tunnel0
access-list 111 permit ip any any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
route-map route101 permit 20
match ip address 111

line con 0
line aux 0
line vty 0 4
exec-timeout 19 59
ntp clock-period 17179996
ntp server
ntp server
Question by:jkeazirian

Accepted Solution

stressedout2004 earned 1000 total points
ID: 16636243
You are missing the NAT 0 for the inside interface. Just add the commands below and you should be able to reach the 192.168.0.x network from the VPN Client.

access-list 103 permit ip
nat (inside) 0 access-list 103
clear xlate.

Also, although not related to your issue, the following route is incorrect.

route inside 1

If you want to reach the router's loopback address from the inside network, that route should be:

route inside

Or if you want to get to it from the DMZ ("local" interface), then it should be:

route local


Author Comment

ID: 16638891
Good catch stressedout.  I spent a good 45 minutes trying to solve that before you helped me out.  I am disappointed I didn't notice it.


Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question