Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


cisco client VPN from behind a PIX with existing site to site config

Posted on 2006-12-01
Medium Priority
Last Modified: 2013-11-16
first: I'm a dummy so bear with me :~) This may be super easy for y'all.
We have a remote site that is tied in site-to-site using cisco easy VPN config. Works great, no probs there. A couple of users in the remote site also use cisco VPN client to connect to another agency. It was working until a major power outage, but apparently the previously working running config was not write mem'd, nor do I have a copy. I have tried a few things to no avail; e.g. got client VPN working but broke site-to-site when I tried some variations of access-list or static statements. Could anyone recommend the BEST way to set this up so that client VPN to about 4 external IP's, in series x.x.x.1-x.x.x.4, will work from behind the basic config shown below?

Oh - and I don't have access to the VPN client connection log or I would include that. I could have sworn this was working without any explicit permits or statics but I am probably wrong about that too. :~(

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd ZHPW3PkCqVp0zNHL encrypted
hostname pixfirewall
domain-name xxx.xxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxx.local
dhcpd auto_config outside
dhcpd enable inside
username techsupp password xxxxxxxxxxxxxxxxxx encrypted privilege 15
vpnclient server x.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup vpnremote password ********
vpnclient username techsupp password ********
vpnclient enable
terminal width 80
banner exec ***   VIOLATORS WILL BE PROSECUTED       ***
: end
Question by:ipockcr
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 79

Accepted Solution

lrmoore earned 450 total points
ID: 18057363
If the EasyVPN is working as is with the posted config, try simply adding this one line and see if the other users can VPN out

  isakmp nat-traversal 20

If that doesn't work, enable fixup esp-ike

Author Comment

ID: 18068254
yikes; well at least I didn't leave any real IPs.

nat traversal is in the config actually, but haven't tried fixup esp-Ike so I'll try that. It was definitely working without it before, but I have no knoweledge of what they may have done on the remote end.
LVL 104

Expert Comment

ID: 18070388
I always remove them if I see them... just in case. You may give away information elsewhere on the site or in the question that lets someone put two and two together.


Author Comment

ID: 18093011
go figure. the remote provider, after repeatedly insisting the problem was on my end, has been forced to concede that this was NOT the case. Now if they will kindly return the time I wasted. The mistake was a simple one, and easily remedied: never trust anyone who claims to know what they are talking about. I should have bypassed the firewall FIRST and it might have saved me some time; had it been easier to do so at the location in question I probably wpuld have done that sooner.

I accept lrmoore's answer because it was most likely to have helped, but note that nat-traversal WAS in the original config. (hence the "B" lol).

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question