PIX Firewall VPN Server configuration details clarification regarding IP address assignment to remote access Cisco VPN clients

Posted on 2006-06-08
Last Modified: 2010-04-12
Shouldn't the range of IP addresses specified for assignment to Cisco remote access VPN clients (connecting to a PIX515 FW configured as a VPN server), be a group of addresses from the internal LAN network they are attempting to connect to?

Specifically, since our LAN behind the PIX Inside interface is a network shouldn't the "IP Local Pool" command in my PIX config also contain network addresses for assignment to our remote access Cisco VPN clients?

My remote access clients using Cisco VPN Client v4.8.00 can connect to our PIX FW set up as a VPN server but they cannot access any LAN resources, PING any LAN hosts, or browse the Web (and yes the PIX inside interface is the LAN gateway -

I fear I made a mistake using the PIX PDM GUI VPN wizard to try to enable VPN remote access.  I entered the IP addresses - for the "pool of Local IP addresses for VPN clients" and now the show run config has these lines containing IP addresses shown below that I do not understand:

access-list inside_outbound_NAT0_acl permit ip any
access-list inside_outbound_NAT0_acl permit ip

Thanx in advance for any help or pointers - my job does not permit me hours & hours to search out detailed configuration information for the "easily configurable via GUI appliance based firewall solution for SMBs" I made the mistake of purchasing!
Question by:dealvis
LVL 19

Expert Comment

ID: 16870174
hi there

<<Shouldn't the range of IP addresses specified for assignment to Cisco remote access VPN clients (connecting to a PIX515 FW configured as a VPN server), be a group of addresses from the internal LAN network they are attempting to connect to?
No - you should use a different range.  Packets from your inside network going to the vpn pool will not go to the pix as the destination address will be in their own network range - so will not be sent to the default gateway.

If you change your ip pool to for example and your access list to :
access-list inside_outbound_NAT0_acl permit ip
You should be able to access correctly.

If you have any issues - post your config and we can assist



Author Comment

ID: 16872436
TY hth for that very helpful clarification.  I changed all references in PIX config where appeared to ,including IP Pool, NAT0 acl, and both cryptomap acls.

Remote access Cisco VPN clients can still connect successfully, but there is still no more functionality than before the config change (meaning they still can't browse the network or the web or ping LAN ( hosts, etc.)

I noticed the test laptop (remote VPN client) was indeed assigned a IP but the default Subnet Mask rather than the I (thought) I specified in the PIX config statements? Anyway here are most of the key PIX config parameters involved:

access-list Remote_Users_splitTunnelAcl permit ip any

access-list inside_outbound_nat0_acl permit ip any
access-list inside_outbound_nat0_acl permit ip
access-list outside_cryptomap_dyn_20 permit ip any
access-list outside_cryptomap_dyn_40 permit ip any

ip local pool RAUpool  

nat (inside) 0 access-list inside_outbound_nat0_acl  

sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac                                                            
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5                                                                    
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5                                                                    
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote_Users address-pool RAUpool
vpngroup Remote_Users dns-server
vpngroup Remote_Users wins-server
vpngroup Remote_Users default-domain
vpngroup Remote_Users split-tunnel Remote_Users_splitTunnelAcl
vpngroup Remote_Users idle-time 1800
vpngroup Remote_Users password ********

Feedback on obvious errors in the PIX config would be greatly appreciated - Thx!

LVL 11

Expert Comment

ID: 16872743
Are your acl's taking hits properly ?

show access-list and you will see the hits.

The Nat 0 acl tells the PIX what to consider interesting traffic and send down the VPN connection.

You will have to allow icmp to be able to ping if I am not mistaken.


Author Comment

ID: 16874711
Many Thanks to both Experts who responded with assistance.  If you are configuring "Split Tunnel" vpn access you may want to read on...

 I gave up and contacted Cisco today and let the Tech in to our PIX.  The problem preventing my Cisco Remote Access VPN Client from connecting to our internal LAN segment ( behind the PIX inside interface [after successfully negotiating an IP-Sec tunnel to the PIX's outside interface] was this (incorrect) PIX access-list statement in the configuration:

access-list Remote_Users_splitTunnelAcl permit ip any

The Cisco Support Tech changed the destination from "any" to "" (after 20 minutes of searching the PIX config).

So corrected it now looks like this:

access-list Remote_Users_splitTunnelAcl permit ip is the network I.D. of the vpn local address pool configured on the PIX:

ip local pool RAUpool mask

Lessons Learned:

Don't use the PIX PDM (Browser based GUI) to configure VPN server settings on the PIX (It was the PDM VPN Wizard that added the problem Split Tunneling entry)  

I am happy that now the remote access client can browse the internal network and web without any issues now.

Thanks again ExEx


Accepted Solution

CetusMOD earned 0 total points
ID: 17064261
PAQed with points refunded (125)

Community Support Moderator

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

775 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question