PIX VPN - unable to access remote network after connect

I am able to connect via vpn client, but go no further.
I have not had pblms in 10 other sites, the only difference here is this Comcast SMC cable modem/router (small business connection),
though I will never rule out config mistakes.


Internet --->  SMC Cable router ---> PIX ---> LAN

subnet between Cable router & PIX is 172.16.1.x
LAN subnet is 192.168.1.x

I believe I am passing all traffic from the cheesy cable router through to the pix - (as you might think, the config options are limited).
I am mapping ports to an internal Mail server.
There are no LAN or internet access issues.

 : Saved
 PIX Version 6.3(5)
 interface ethernet0 auto
 interface ethernet1 auto
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 enable password X0h2.pTd5q5kBMWT encrypted
 passwd oc9JQ.Zyj.5tHB/R encrypted
 hostname pixfirewall
 domain-name ciscopix.com
 fixup protocol dns maximum-length 512
 fixup protocol ftp 21
 fixup protocol h323 h225 1720
 fixup protocol h323 ras 1718-1719
 fixup protocol http 80
 fixup protocol rsh 514
 fixup protocol rtsp 554
 fixup protocol sip 5060
 fixup protocol sip udp 5060
 fixup protocol skinny 2000
 fixup protocol smtp 25
 fixup protocol sqlnet 1521
 fixup protocol tftp 69
 <--- More --->                names
 access-list split permit
 access-list inside_outbound_nat0_acl permit ip any
 access-list InboundACL permit tcp any host
 pager lines 24
 icmp deny any outside
 mtu outside 1500
 mtu inside 1500
 ip address outside
 ip address inside
 ip audit info action alarm
 ip audit attack action alarm
 ip local pool vpnpool
 pdm location inside
 pdm logging informational 100
 pdm history enable
 arp timeout 14400
 global (outside) 1 interface
 nat (inside) 0 access-list inside_outbound_nat0_acl
 nat (inside) 1 0 0
 static (inside,outside) netmask 0 0
 access-group InboundACL in interface outside
 route outside 1
 timeout xlate 0:05:00
 <--- More --->                timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
 timeout sip-disconnect 0:02:00 sip-invite 0:03:00
 timeout uauth 0:05:00 absolute
 aaa-server TACACS+ protocol tacacs+
 aaa-server TACACS+ max-failed-attempts 3
 aaa-server TACACS+ deadtime 10
 aaa-server RADIUS protocol radius
 aaa-server RADIUS max-failed-attempts 3
 aaa-server RADIUS deadtime 10
 aaa-server LOCAL protocol local
 http server enable
 http inside
 no snmp-server location
 no snmp-server contact
 snmp-server community public
 no snmp-server enable traps
 floodguard enable
 crypto ipsec transform-set myset esp-des esp-md5-hmac
 crypto dynamic-map dymap 100 set transform-set myset
 crypto map mymap 100 ipsec-isakmp dynamic dymap
 crypto map mymap interface outside
 isakmp enable outside
 isakmp key ******** address netmask
 <--- More --->                isakmp identity address
 isakmp client configuration address-pool local vpnpool outside
 isakmp nat-traversal 20
 isakmp policy 10 authentication pre-share
 isakmp policy 10 encryption des
 isakmp policy 10 hash md5
 isakmp policy 10 group 2
 isakmp policy 10 lifetime 86400
 vpngroup vpn01 address-pool vpnpool
 vpngroup vpn01 dns-server
 vpngroup vpn01 default-domain MW.local
 vpngroup vpn01 split-tunnel split
 vpngroup vpn01 idle-time 1800
 vpngroup vpn01 password ********
 telnet inside
 telnet timeout 5
 ssh timeout 5
 console timeout 0
 dhcpd lease 3600
 dhcpd ping_timeout 750
 dhcpd auto_config outside
 terminal width 80
 : end
 <--- More --->                 pixfirewall#
Who is Participating?
stressedout2004Connect With a Mentor Commented:
Try adding the following line:

sysopt connection permit-ipsec

I don't see it in the configuration. Try it and let us know.
artthegeekAuthor Commented:
I should add -
The company has only one public IP here.
The public MX (mail) record points to the cable router's public ip & is then mapped from there to the outside pix interface, which in turn maps to the server (as you can see from the config).
I have had similar issues trying to use an IPSec Tunnel using the Cisco client to a PIX over SBC Yahoo DSL. Yahoo claims their home "modem" does not support AH or ESP protocols. You might want to verify this with Comcast before spending any more cycles on this.


Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

The problem is that you are using same IP subnet for both internal and vpn clients. They really need to be two distinct networks:

>ip address inside
>ip local pool vpnpool

Because then, this acl makes no sense:
>access-list inside_outbound_nat0_acl permit ip any

Try this:

 ip local pool vpnpool2
 no access-list inside_outbound_nat0_acl
 access-list inside_outbound_nat0_acl permit ip
 nat (inside) 0 access-list inside_outbound_nat0_acl
 vpngroup vpn01 address-pool vpnpool2

artthegeekAuthor Commented:
L -
Unfortunately, no go - but thanks for the reminder.

One thing: I can get into the mail server via RDP using the address (the subnet between the PIX and the router) after connecting via VPN, but not to the (local lan inside the PIX).

artthegeekAuthor Commented:
That's it !  Thank you.
 Now the big question: Why?
artthegeekAuthor Commented:
I answer my own question:

Because all inbound sessions must be explicitly permitted by an access list or a conduit, the sysopt connection permit-ipsec command is used to permit all inbound IPSec authenticated cipher sessions.
Yup, right on the money.
good catch, stressedout2004!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.