cisco client VPN from behind a PIX with existing site to site config

Posted on 2006-12-01
Medium Priority
Last Modified: 2013-11-16
first: I'm a dummy so bear with me :~) This may be super easy for y'all.
We have a remote site that is tied in site-to-site using cisco easy VPN config. Works great, no probs there. A couple of users in the remote site also use cisco VPN client to connect to another agency. It was working until a major power outage, but apparently the previously working running config was not write mem'd, nor do I have a copy. I have tried a few things to no avail; e.g. got client VPN working but broke site-to-site when I tried some variations of access-list or static statements. Could anyone recommend the BEST way to set this up so that client VPN to about 4 external IP's, in series x.x.x.1-x.x.x.4, will work from behind the basic config shown below?

Oh - and I don't have access to the VPN client connection log or I would include that. I could have sworn this was working without any explicit permits or statics but I am probably wrong about that too. :~(

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd ZHPW3PkCqVp0zNHL encrypted
hostname pixfirewall
domain-name xxx.xxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxx.local
dhcpd auto_config outside
dhcpd enable inside
username techsupp password xxxxxxxxxxxxxxxxxx encrypted privilege 15
vpnclient server x.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup vpnremote password ********
vpnclient username techsupp password ********
vpnclient enable
terminal width 80
banner exec ***   VIOLATORS WILL BE PROSECUTED       ***
: end
Question by:ipockcr
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 79

Accepted Solution

lrmoore earned 450 total points
ID: 18057363
If the EasyVPN is working as is with the posted config, try simply adding this one line and see if the other users can VPN out

  isakmp nat-traversal 20

If that doesn't work, enable fixup esp-ike

Author Comment

ID: 18068254
yikes; well at least I didn't leave any real IPs.

nat traversal is in the config actually, but haven't tried fixup esp-Ike so I'll try that. It was definitely working without it before, but I have no knoweledge of what they may have done on the remote end.
LVL 104

Expert Comment

ID: 18070388
I always remove them if I see them... just in case. You may give away information elsewhere on the site or in the question that lets someone put two and two together.


Author Comment

ID: 18093011
go figure. the remote provider, after repeatedly insisting the problem was on my end, has been forced to concede that this was NOT the case. Now if they will kindly return the time I wasted. The mistake was a simple one, and easily remedied: never trust anyone who claims to know what they are talking about. I should have bypassed the firewall FIRST and it might have saved me some time; had it been easier to do so at the location in question I probably wpuld have done that sooner.

I accept lrmoore's answer because it was most likely to have helped, but note that nat-traversal WAS in the original config. (hence the "B" lol).

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses
Course of the Month13 days, 13 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question