We help IT Professionals succeed at work.


New user inherited CISCO PIX525 I only know GUI
VPN set up 2 ways have 4- persistant connections (point to point - preshared keys)
VPN clients for sales people who connect from internet connections i.e. hotel rooms, Kinko etc

VPN connects fine but DNS does not work, am able to use IP addresses of servers to get to them but would like to not have to go hosts file route as we are constantly adding new equipment as we grow.
Using CISCO Client 4.7
I read another thread where adding isakmp nat-traversal solved a similar issur.  i have my confiuration in a text file and do not find this line.
How would I get this into the congig using the GUI

Watch Question

I don't think this is a NAT traversal issue, since if it were, you would most likely not be able to even get to the servers via IP address.  Please post your running configuration (sanitized with public IP's stripped out) and we'll take a look.
The version of PDM you are using is so old that I don't have it loaded on any PIX'es that I have access to, but below is a screenshot of where the setting is found under the 3.0(4) version...it may be in a similar place, but there is no guarantee!  :)



In myold PDM the option you show does not exist.

I will get the config together and send to you.  I will be back here at 07:30 EST
Your version of the PIX code doesn't support that command.  So, we can either look for an alternative solution or you can upgrade the code on the PIX and implement the NAT traversal to see if that fixes your issue.

After looking at your existing configuration, I see a couple of things.

First, which vpngroup are you using, RLA or ABC?  If you are using RLA, then I don't see where you are assigning a DNS server to your VPN clients.  If you are using ABC, then what IP addresses are being received by the VPN clients since I don't see a corresponding "vpngroup ABC address-pool <poolname>" command.  You should add the command:

vpngroup ABC address-pool VPN

When you establish a VPN session and issue the "ipconfig /all" command from the Windows command prompt, what DNS server are you getting on the client?

The second thing that I see is that your NAT exemption ACL exempts traffic for only a portion of the VPN pool that is defined.

access-list inside_outbound_nat0_acl permit ip
ip local pool VPN

The NAT exemption only covers traffic going back to since the netmask referenced in the ACL is  Either the VPN pool needs to be scaled back to, or the netmask in the ACL needs to be modified to include the entire VPN pool.  This can be done by changing the netmask to


ABC and RLA are the same, there is only one group  I missed changing some RLA to ABC as I went through the file.  I will see about changing the ACL to reflect the larger pool.

When IPconfig /all on an attached client  DNS server does show correctly WINS also at BUT resolution does not happen. If however, one attaches to a server in the group say\public, in a few moments all resolution works.  For some reason IP mask on VPN will show as during IPconfig  Very wierd


I forgot to mention, I would love to upgrade PMD and PIX software but CISCO no longer supports the 515 so I cannot but service and get access to later software.  All I could do would be to buy a new firewall which I think I will have to do as my bandwidth is higher than the 515 I used to have can habndle.  I have the config you are viewwing on a borrowed 525 at the moment.
The mask reads  Very strange...haven't seen that one.  Until you have the ability to get later code, you will be fighting issues and bugs a lot, I'm afraid...I'll take another look at the config in light of your comments and see if I can see something else...I'll post back later.




Really mean to say  not for mask
>>Really mean to say  not for mask

OK, that makes more sense.  

That netmask you are getting from the PIX must be because it is assigning a classful mask.  In other words, 10.x.x.x is a class A subnet and an 8 bit mask would be a classful mask for that subnet.  I looked up the command in the 6.2 reference guide and it doesn't look like it supports specifying the netmask on the end of the line like it does in the 6.3 code...bummer.  I think you may be having a problem because your DNS server is, but because your mask is, it thinks that is on the same subnet along with 10.200.215.x, so there may be some traffic routing issues here.

Since you're running that old code that won't let you specify a 24 bit mask for a 10.x.x.x VPN pool, my suggestion is to try creating a new VPN pool, say something that is in the class C range like  Then modify you're vpngroup command to use this pool, and modify the NAT 0 ACL to exempt return traffic back to this subnet and see if you get any better results.  Here are the commands to do this:

ip local pool VPN2
no vpngroup ABC address-pool VPN
vpngroup ABC address-pool VPN2
access-list inside_outbound_nat0_acl permit ip
access-list DMZ_outbound_nat0_acl permit ip

Just make sure you pick a class C that is not already in use on your internal network.


I'll try this first thing in the morning and let you know

Explore More ContentExplore courses, solutions, and other research materials related to this topic.