cisco client VPN from behind a PIX with existing site to site config

Posted on 2006-12-01
Last Modified: 2013-11-16
first: I'm a dummy so bear with me :~) This may be super easy for y'all.
We have a remote site that is tied in site-to-site using cisco easy VPN config. Works great, no probs there. A couple of users in the remote site also use cisco VPN client to connect to another agency. It was working until a major power outage, but apparently the previously working running config was not write mem'd, nor do I have a copy. I have tried a few things to no avail; e.g. got client VPN working but broke site-to-site when I tried some variations of access-list or static statements. Could anyone recommend the BEST way to set this up so that client VPN to about 4 external IP's, in series x.x.x.1-x.x.x.4, will work from behind the basic config shown below?

Oh - and I don't have access to the VPN client connection log or I would include that. I could have sworn this was working without any explicit permits or statics but I am probably wrong about that too. :~(

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd ZHPW3PkCqVp0zNHL encrypted
hostname pixfirewall
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxx.local
dhcpd auto_config outside
dhcpd enable inside
username techsupp password xxxxxxxxxxxxxxxxxx encrypted privilege 15
vpnclient server x.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup vpnremote password ********
vpnclient username techsupp password ********
vpnclient enable
terminal width 80
banner exec ***   VIOLATORS WILL BE PROSECUTED       ***
: end
Question by:ipockcr
  • 2
LVL 79

Accepted Solution

lrmoore earned 150 total points
ID: 18057363
If the EasyVPN is working as is with the posted config, try simply adding this one line and see if the other users can VPN out

  isakmp nat-traversal 20

If that doesn't work, enable fixup esp-ike

Author Comment

ID: 18068254
yikes; well at least I didn't leave any real IPs.

nat traversal is in the config actually, but haven't tried fixup esp-Ike so I'll try that. It was definitely working without it before, but I have no knoweledge of what they may have done on the remote end.
LVL 104

Expert Comment

ID: 18070388
I always remove them if I see them... just in case. You may give away information elsewhere on the site or in the question that lets someone put two and two together.


Author Comment

ID: 18093011
go figure. the remote provider, after repeatedly insisting the problem was on my end, has been forced to concede that this was NOT the case. Now if they will kindly return the time I wasted. The mistake was a simple one, and easily remedied: never trust anyone who claims to know what they are talking about. I should have bypassed the firewall FIRST and it might have saved me some time; had it been easier to do so at the location in question I probably wpuld have done that sooner.

I accept lrmoore's answer because it was most likely to have helped, but note that nat-traversal WAS in the original config. (hence the "B" lol).

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Receiving wifi on an underground station 22 127
Price for Fiber 13 66
Can't access router with user and pass 10 79
How to migrate from Juniper srx to pan 7.x? 2 10
Let’s list some of the technologies that enable smooth teleworking. 
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question