Client vpn help (along with existing pix-pix vpn)

Posted on 2006-05-08
Last Modified: 2013-11-16
I am currently trying to configure a VPN client so that it can connect from the outside into my local lan.

Again, the configuration is setup as such:
VPN client -> Pix -> rtr -> local lan

At the moment, I have a PIX - > PIX PTP vpn configured and running.

I can connect my vpn client from the outside with no problems.

I can ping the "outside" interface of the router ( but if I try to ping something on my local lan (192.168.0.x) from my VPN'd client nothing seems to pass through. My first thought was that it is a natting issue on the router but I cant seem to get it to work.

From my local lan I can ping the VPN'd client.

Below are my configs:

hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

!Used for Pix-pix vpn - this is functioning fine.
access-list 199 permit ip
access-list 199 permit ip
access-list 199 permit ip
access-list 199 permit udp any any eq isakmp
access-list 199 permit esp any any
access-list 199 permit ah any any
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any unreachable
access-list 199 permit tcp any any eq www
access-list 199 permit gre host host

!This is the ip pool for my vpn clients
access-list 199 permit ip any
access-list 199 permit udp any
access-list 199 permit tcp any
access-list 102 permit gre host host
access-list 102 permit ip
access-list 102 permit ip
access-list 102 permit ip

!No Nat for VPN
access-list 101 permit gre host host
access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip

pager lines 24
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 10full shutdown
interface ethernet5 10full shutdown
mtu outside 1500
mtu inside 1500
mtu local 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside

!This is the range of my local private subnet
ip address inside

!this is the range for my router subnet
ip address local
ip address intf3
ip address intf4
ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
failover ip address local
failover ip address intf3
failover ip address intf4
failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
nat (local) 0 access-list 101
nat (local) 1 0 0
static (inside,outside) netmask 0 0
access-group 199 in interface outside
route outside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
snmp-server host inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set cmeset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set cmeset
crypto map cmevpn 10 ipsec-isakmp dynamic dynmap
crypto map cmevpn 20 ipsec-isakmp
crypto map cmevpn 20 match address 102
crypto map cmevpn 20 set peer
crypto map cmevpn 20 set transform-set cmeset
crypto map cmevpn interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash md5
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server
vpngroup vpn3000 wins-server
vpngroup vpn3000 default-domain
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet inside
telnet timeout 60


Building configuration...

Current configuration : 3133 bytes
! Last configuration change at 09:53:38 CDT Mon May 8 2006
! NVRAM config last updated at 09:41:44 CDT Mon May 8 2006
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
hostname rhoroutervpn
boot system flash
logging buffered 8192 debugging
no logging console

clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
ip multicast-routing
ip cef
isdn switch-type basic-ni
call rsvp-sync
interface Loopback0
ip address
interface Tunnel0
ip address
ip pim sparse-mode
tunnel source
tunnel destination
interface FastEthernet0/0
description connection to local LAN
ip address
no ip redirects
ip nat inside
ip route-cache flow
speed 100
interface FastEthernet0/1
description connection to Intellispace router
ip address
no ip redirects
ip accounting output-packets
ip nat outside
ip pim sparse-mode
ip route-cache flow
load-interval 30
speed 100

ip nat inside source route-map route101 interface FastEthernet0/1 overload
ip classless
ip route
ip route Tunnel0
ip flow-export version 5
ip flow-export destination 9996
no ip http server
ip pim rp-address
ip mroute Tunnel0
access-list 111 permit ip any any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
route-map route101 permit 20
match ip address 111

line con 0
line aux 0
line vty 0 4
exec-timeout 19 59
ntp clock-period 17179996
ntp server
ntp server
Question by:jkeazirian
    LVL 9

    Accepted Solution

    You are missing the NAT 0 for the inside interface. Just add the commands below and you should be able to reach the 192.168.0.x network from the VPN Client.

    access-list 103 permit ip
    nat (inside) 0 access-list 103
    clear xlate.

    Also, although not related to your issue, the following route is incorrect.

    route inside 1

    If you want to reach the router's loopback address from the inside network, that route should be:

    route inside

    Or if you want to get to it from the DMZ ("local" interface), then it should be:

    route local


    Author Comment

    Good catch stressedout.  I spent a good 45 minutes trying to solve that before you helped me out.  I am disappointed I didn't notice it.


    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    WLC and port fast. 1 43
    nexus qos question 4 36
    Enable  DHCP Snooping on a Cisco SG500-52P 6 51
    CISCO ASA 5500 DDNS 4 41
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now