Cisco PIX 515E VPN Trouble Accessing Network.

Currently I have a Cisco PIX 515E.  I have a VPN running on this firewall and as of three days ago when I would connect to the network, I would not be able to access anything.  When I check the status of the Cisco VPN Software (on the statistics tab) it shows there is a key next to the network ip address and sometimes it shows no key.  How can I go about troubleshooting this situation?  Even when there was a key next to the ip address I still could not access the network.  I believe the VPN is starting to flake out.  On the status tab it shows packets bypassed and discarded. Nothing is going in or out.

Any suggestions will be greatly appreciated.

Thank you in advance.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

rsivanandanConnect With a Mentor Commented:
Oh man, that is a lot lot lot lot older software and I don't even know if it will uninstall properly. For testing, can you uninstall it and install 4.8 on a pc and see if it helps ?

Is the ip pool configured at pix for VPN is the same as the internal network, this is not good.

You need to have configured on the pix not to nat the connections coming back to you, typically it would be like this;

access-list nonat permit ip <corporate ip> <netmask> <vpnassignedip> netmask

nat (inside) 0 access-list nonat

If possible configuration will tells us more.

cbonesAuthor Commented:
Here is the configuration...I XXX over some of the information...

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password FKoAdbRMH5AH5Jup encrypted
passwd 4Az39VjLXL/1H.91 encrypted
hostname XXXXXXXX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list FROM_OUTSIDE permit tcp any host eq www
access-list FROM_OUTSIDE permit tcp any host eq https
access-list FROM_OUTSIDE permit tcp any host eq 433
access-list FROM_OUTSIDE permit tcp any host eq ssh
access-list FROM_OUTSIDE permit tcp any host eq https
access-list FROM_OUTSIDE permit tcp any host eq www
access-list 101 permit ip
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside
ip address inside
ip address dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool XXXXXXX
pdm history enable
arp timeout 14400
global (outside) 1
global (dmz) 1
nat (inside) 0 access-list 101
nat (inside) 1 0 0
nat (dmz) 0 access-list 101
nat (dmz) 1 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
static (dmz,outside) netmask 0 0
access-group FROM_OUTSIDE in interface outside
route outside 1
route inside 1
route inside 1
route inside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set XXXXXXXSET esp-3des esp-md5-hmac
crypto dynamic-map CISCO 4 set transform-set XXXXXXXSET
crypto map XXXXXXX VPN 10 ipsec-isakmp dynamic CISCO
crypto map XXXXXXX VPN client configuration address initiate
crypto map XXXXXXX VPN client authentication LOCAL
crypto map XXXXXXX VPN interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local XXXXXXX outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup XXXXXXXX address-pool XXXXXXX
vpngroup XXXXXXXX split-tunnel 101
vpngroup XXXXXXXX idle-time 1800
vpngroup XXXXXXX password ********
telnet inside
telnet timeout 30
ssh timeout 10
management-access inside
console timeout 0

Thank you!!!
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

>>access-list 101 permit ip

Make the above as;

access-list 101 permit ip


access-list 102 permit ip

>>vpngroup XXXXXXXX split-tunnel 101

vpngroup XXXXXXXX split-tunnel 102

cbonesAuthor Commented:
I tried this but it did not work.  After I made the changes, on the vpn clients status tab it shows a key next to the public ip but not next to the internal network ip.  The strange thing is this does not happen to everyone, just a handfull of people..(including myself)...

Good, we will try one by one. Now the turn for looking at the client side. What OS are you using and which client. Windows XP is seen to have any client less that 4.8, if it is not 4.8 upgrade that software piece.

cbonesAuthor Commented:
The majority of the clients are running on XP...I am running on XP Pro...Some of the other people are running on XP Home...We are using Cisco VPN Client Version 3.6.3...

Thank you.
cbonesAuthor Commented:
Thank you for all your help but I am still not sure what is causing this problem.  I have tried newer versions of Cisco VPN Client and still have problems connecting.  

Thank you for all your help and your fast responses.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.