Problems connecting with the Cisco VPN Client while behind PIX

Posted on 2007-11-19
Last Modified: 2010-04-09
We're trying to connect to a remote ASA 5505 with the Cisco VPN Client software on a computer that is behind a PIX 501 firewall.  The Cisco VPN Client connects and authenticates correctly, but even though the VPN Client is connected, we cannot access or ping any network resources at the remote site.  When connected, if I right click on the VPN Client icon and click "statistics" it shows that 0 bytes have been received, but bytes are constantly being sent.  

If we replace the 501 with another router, we do not have this problem; the VPN Client will successfully connect and we are able to access the remote resources.

The VPN Client is set up for "IPSec over UDP (NAT / PAT)."

The configuration for the PIX 501 is posted below.  I have intentionally left the outgoing access-list off for troubleshooting purposes.  Let me know if you need clarification or more details.  Thank you in advance

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname OAC-PTown
domain-name domain.local
clock timezone CST -6
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name nhopevpn
access-list outbound permit tcp any
access-list outbound permit udp any
access-list outbound permit icmp any any
access-list outbound permit gre any any
access-list inbound permit tcp any any eq 3389
access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq 3390
access-list inbound permit tcp any interface outside eq 5500
access-list inbound permit tcp any interface outside eq 5501
access-list inbound permit icmp any interface outside echo-reply
access-list inbound permit esp any any
access-list inbound permit ah any any
access-list inside_outbound_nat0_acl permit ip nhopevpn
access-list 101 permit ip nhopevpn
access-list outside_cryptomap_40 permit ip nhopevpn
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip verify reverse-path interface outside
ip audit name attack attack action alarm drop reset
ip audit interface outside attack
ip audit info action alarm
ip audit attack action alarm drop reset
ip local pool test
pdm location x.x.x.224 outside
pdm location inside
pdm location inside
pdm location inside
pdm location nhopevpn outside
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) tcp interface 3390 3390 netmask 0 0
static (inside,outside) tcp interface 5901 5901 netmask 0 0
static (inside,outside) tcp interface https https netmask 0 0
static (inside,outside) tcp interface 3389 3389 netmask 0 0
static (inside,outside) tcp interface 5501 5501 netmask 0 0
static (inside,outside) tcp interface 5500 5500 netmask 0 0
access-group inbound in interface outside
route outside nhopevpn 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server source inside
http server enable
http nhopevpn outside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs group2
crypto map outside_map 40 set peer y.y.y.28
crypto map outside_map 40 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address y.y.y.28 netmask no-xauth no-config-mode
isakmp identity address
isakmp keepalive 60 30
isakmp nat-traversal 20
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption aes
isakmp policy 40 hash sha
isakmp policy 40 group 5
isakmp policy 40 lifetime 86400
vpngroup vpn3000 address-pool test
vpngroup vpn3000 dns-server
vpngroup vpn3000 wins-server
vpngroup vpn3000 default-domain domain.local
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet inside
telnet timeout 5
ssh inside
ssh timeout 25
console timeout 0
terminal width 80
Question by:OAC Technology
LVL 28

Accepted Solution

batry_boy earned 500 total points
ID: 20316891
Isn't this a repeat question?

Author Comment

by:OAC Technology
ID: 20383842
ooops, mod: please delete. thank you

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question