cisco client VPN from behind a PIX with existing site to site config

first: I'm a dummy so bear with me :~) This may be super easy for y'all.
We have a remote site that is tied in site-to-site using cisco easy VPN config. Works great, no probs there. A couple of users in the remote site also use cisco VPN client to connect to another agency. It was working until a major power outage, but apparently the previously working running config was not write mem'd, nor do I have a copy. I have tried a few things to no avail; e.g. got client VPN working but broke site-to-site when I tried some variations of access-list or static statements. Could anyone recommend the BEST way to set this up so that client VPN to about 4 external IP's, in series x.x.x.1-x.x.x.4, will work from behind the basic config shown below?

Oh - and I don't have access to the VPN client connection log or I would include that. I could have sworn this was working without any explicit permits or statics but I am probably wrong about that too. :~(

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd ZHPW3PkCqVp0zNHL encrypted
hostname pixfirewall
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxx.local
dhcpd auto_config outside
dhcpd enable inside
username techsupp password xxxxxxxxxxxxxxxxxx encrypted privilege 15
vpnclient server x.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup vpnremote password ********
vpnclient username techsupp password ********
vpnclient enable
terminal width 80
banner exec ***   VIOLATORS WILL BE PROSECUTED       ***
: end
Who is Participating?
lrmooreConnect With a Mentor Commented:
If the EasyVPN is working as is with the posted config, try simply adding this one line and see if the other users can VPN out

  isakmp nat-traversal 20

If that doesn't work, enable fixup esp-ike
ipockcrAuthor Commented:
yikes; well at least I didn't leave any real IPs.

nat traversal is in the config actually, but haven't tried fixup esp-Ike so I'll try that. It was definitely working without it before, but I have no knoweledge of what they may have done on the remote end.
I always remove them if I see them... just in case. You may give away information elsewhere on the site or in the question that lets someone put two and two together.

ipockcrAuthor Commented:
go figure. the remote provider, after repeatedly insisting the problem was on my end, has been forced to concede that this was NOT the case. Now if they will kindly return the time I wasted. The mistake was a simple one, and easily remedied: never trust anyone who claims to know what they are talking about. I should have bypassed the firewall FIRST and it might have saved me some time; had it been easier to do so at the location in question I probably wpuld have done that sooner.

I accept lrmoore's answer because it was most likely to have helped, but note that nat-traversal WAS in the original config. (hence the "B" lol).
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.