Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Issue with Cisco VPN Client and Point to Point T1

Posted on 2009-07-09
Medium Priority
Last Modified: 2012-05-07
Basically we have 2 offices, each connected by a Point-to-Point T1. There are no problems pinging form one office to another.  At each office we have a PIX to VPN into.  However, when someone VPNs into one office, they cannot go across the Point-to-point link to get to the other office.  Is there anyway I can get this function to work? Thanks in advance, I have posted configs for one site and a little network diagram.

         |                                                         |
Site A PIX 515                                Site B PIX 506e
          |                                                         |
          |                   P2P T1                           |
Site A Cisco Router---------------------------Site B Cisco Router
          |                                                         |
          |                                                         |
Site A LAN (                         Site B LAN (
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 2611ROUTER
enable secret 5 xxx
enable password xxx
no aaa new-model
ip subnet-zero
ip cef
ip domain name .com
ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp pool clients
   domain-name .com
   netbios-node-type h-node
   option 42 ip 
   option 150 ip 
ip audit po max-events 100
username xxx privilege 15 secret 5 xxx
controller T1 0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64
 description SBC 86HCGS667489
controller T1 0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64
ip ssh time-out 60
ip ssh authentication-retries 5
interface Ethernet0/0
 description Internal Network
 ip address
interface Serial0/0:0
 ip address
 encapsulation ppp
interface Ethernet0/1
 no ip address
interface Serial0/1:0
 no ip address
 encapsulation ppp
interface Serial0/2
 no ip address
 encapsulation ppp
ip http server
no ip http secure-server
ip classless
ip route
ip route
ip route
ip route
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password xxx
 login local
 transport input ssh
line vty 5 15
 password xxx
 transport input ssh
ntp clock-period 17180144
ntp server
**********************PIX CONFIG******************
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname PIX506e
domain-name .com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name x.x.x.16 PIX_Outside
name x.x.x.1 Sonic_Gateway
name PIX_Inside
name y.y.y.17 SWMS_Outside
name y.y.y.18 CPSUPPORT_Outside
name CPSUPPORT_Inside
name SWMS_Inside
name SWMS2
name y.y.y.19 CLserver
name CLinside
object-group network og_ip_nat_clients 
access-list outside_access_in permit icmp any any echo-reply 
access-list outside_access_in permit icmp any any 
access-list outside_access_in remark Allow HTTP traffic to SWMS
access-list outside_access_in permit tcp any host SWMS_Outside eq www 
access-list outside_access_in permit tcp any host CPSUPPORT_Outside eq www 
access-list outside_access_in permit tcp host .... interface outside eq ftp 
access-list outside_access_in permit tcp host .... interface outside eq 1433 
access-list outside_access_in permit tcp any host CLserver eq ssh 
access-list nonat permit ip 
access-list nonat permit ip 
access-list splittunnel permit ip 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside PIXOutside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ipsec-pool mask
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
static (inside,outside) SWMS_Outside SWMS_Inside netmask 0 0 
static (inside,outside) CPSUPPORT_Outside CPSUPPORT_Inside netmask 0 0 
static (inside,outside) CLserver CLinside netmask 0 0 
access-group outside_access_in in interface outside
route outside Sonic_Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac 
crypto dynamic-map dynamicmap 11 set transform-set vpnclient
crypto map warehousemap 99 ipsec-isakmp dynamic dynamicmap
crypto map warehousemap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup warehouse address-pool ipsec-pool
vpngroup warehouse dns-server SWMS_Inside
vpngroup warehouse default-domain .com
vpngroup warehouse split-tunnel splittunnel
vpngroup warehouse idle-time 1800
vpngroup warehouse password ***
telnet timeout 5
ssh outside
ssh inside
ssh inside
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns SWMS_Inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain .com
dhcpd auto_config outside
dhcpd option 150 ip
dhcpd option 3 ip PIX_Inside
username xxx password xxx encrypted privilege 15
terminal width 80
banner exec Enter your password carefully
banner login Enter your password to login
banner motd Think on These Things

Open in new window

Question by:sycomp
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 24818273
Ok from what is see your VPN clients get 10.11.1.x but on your router there is no route back to that network, over the point to point

Expert Comment

ID: 24821005
along the same lines, are no both pix's missing routes for the opposite site?
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 24823520
You only posted the configs on one side, but generally, here's what you need.

Site A
On the PIX 515, add a static route to to the local router
route inside <router address>

Also, include /24 in the Split-tunnel acl
On the router, make sure you have a route to the vpn client subnet pointing across the T1
 ip route

Make sure you reverse the process on Site B:
 route inside 10.5.1.x
 route inside 10.5.1.x
 route inside 10.x.x.x 10.5.1.x  <== 515 side VPN tunnel pool
access-list nonat permit ip
access-list splittunnel permit ip

On the router, make sure you have a route to the VPN pool of the PIX 515
ip route 10.x.x.0

Author Closing Comment

ID: 31604444
Thank you! I overlooked the fact that the VPN clients are on a different subnet.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question