Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


PIX 515E only connects through firewall to public address

Posted on 2006-06-27
Medium Priority
Last Modified: 2013-11-16
The following is the config. I have several issues.

1) I can connect to the VPN no problem. I can remote desktop to the separate servers, but can only connect using the public IP address. Shouldn't I be able to connect using the internal address?

2) The client where I have connected through the VPN can't browse the internet.

99.999.x.x represents the public IP range.

Building configuration...
: Saved
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
enable password ESXy/N53AGN.9NRk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list outside_access_in permit tcp any host 99.999.253.133 range 700 701
access-list outside_access_in permit tcp any host 99.999.253.133 eq 1024
access-list outside_access_in permit tcp any host 99.999.253.136 eq www
access-list outside_access_in permit tcp any eq ftp host 99.999.253.136 eq ftp
access-list outside_access_in permit tcp any host 99.999.253.134 eq www
access-list outside_access_in deny ip any any
access-list outside_cryptomap_dyn_20 permit ip any
access-list inside_access_in permit tcp any any
pager lines 24
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 99.999.253.131
ip address inside
ip address intf2
ip address intf3
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
failover ip address intf2
failover ip address intf3
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) 99.999.253.133 netmask 0 0
static (inside,outside) 99.999.253.134 netmask 0 0
static (inside,outside) 99.999.253.135 netmask 0 0
static (inside,outside) 99.999.253.136 netmask 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 99.999.253.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server source outside
ntp server source outside
ntp server source outside prefer
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn address-pool VPNPool
vpngroup vpn dns-server
vpngroup vpn idle-time 1800
vpngroup vpn password ********
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool
vpdn group PPTP-VPDN-GROUP client configuration dns
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username vpn password *********
vpdn enable outside
vpdn enable inside
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
: end

Question by:Atlanta_Mike
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 32

Accepted Solution

rsivanandan earned 1000 total points
ID: 16998877
Couple of suggestions;

1. It is very very important and advisible that you have a VPNPool that is different from your internal network. DO THIS;

So the problem seems to be your PIX is natting all the connections. What you need to do is to disable nat if the traffic is flowing through VPN tunnel. For that lets say you changed your VPN pool to

Then add these;

access-list nonat permit ip

nat (inside) 0 access-list nonat

Then try accessing the servers.

LVL 19

Assisted Solution

nodisco earned 1000 total points
ID: 17000045
Rajesh is correct - change the ip local pool to a different range and you should not have this issue:
ip local pool VPNPool

I would also recommend you remove these lines from your config:
access-list inside_access_in permit tcp any any
access-group inside_access_in in interface inside
Permitting all tcp traffic in to the inside interface is by default denying all udp and icmp traffic also - It does not look like this was put here by design.  By default, all traffic is allowed from the inside out so there is no need for this access list.

I would upgrade your OS to the latest 6.x release - 6.3(5)........your version 6.2(1) is quite out of date.

hope this helps

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question