Cisco PIX 501 VPN Connection No LAN Access and No SSH

Posted on 2011-04-20
Last Modified: 2012-05-11
I have configured my pix 501 for vpn access.  I am trying to connect using cisco vpn client  The client makes the VPN connection sucessfully but I cannot access anything at the remote site.  I have tried changing the ip pool to but still nothing.  Also I cannot ssh into the pix.  I get a password prompt and put in the password that I am positive is correct and it will not work.  I am using the username pix for the ssh connection.  See config below.


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xx encrypted
passwd xx encrypted
hostname xxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list NONAT permit ip
access-list outside_access_in permit icmp any interface outside
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool XXXVPN
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0 0
access-group outside_access_in in interface outside
route outside XXX.XXX.XX.XX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set XXXSET esp-3des esp-md5-hmac
crypto dynamic-map XXXDMAP 10 set transform-set XXXSET
crypto map XXXMAP 10 ipsec-isakmp dynamic XXXDMAP
crypto map XXXMAP interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup XXXVPNGROUP address-pool XXXVPN
vpngroup XXXVPNGROUP dns-server
vpngroup XXXVPNGROUP default-domain
vpngroup XXXVPNGROUP split-tunnel NONAT
vpngroup XXXVPNGROUP idle-time 1800
vpngroup XXXVPNGROUP password ********
telnet inside
telnet timeout 5
ssh outside
ssh timeout 30
console timeout 0
username admin password XXX encrypted privilege 15
terminal width 80

Open in new window

Question by:dupont2406
    LVL 18

    Accepted Solution

    For the VPN, do the devices you're trying to reach know where the VPN address block is, meaning do any layer-3 devices have a route to it?  If the devices are on the immediate LAN subnet off the PIX, what is the default gateway they are using?

    For SSH, I don't see any authentication configured.

    Author Comment

    I dont remember ever having to add authentication for ssh.  Normally use the username pix and enable password.  Can you tell me how to do that.

    there are no routes back to the pix.  The lan devices are using a router for the default gateway
    LVL 18

    Expert Comment

    For SSH, the same way you're already doing it for telnet:

    aaa authentication ssh console LOCAL

    So it sounds like you have another router behind the PIX, and devices attached to that are using the router as their default gateway?  Is the router using the PIX as its default gateway?  If you have a subnet on the other side of a routing device, you need to either add a static route on the PIX (route inside <subnet> <mask> <router IP address>) or you need to enable a dynamic protocol such as RIP or OSPF. The commands are different depending on what protocol you're running.

    Author Comment

    i tried setting the gateway on one server to point to the PIX.  still no connection.  Also I have 3 other locations with the exact same equipment configured identical to this one and I am able to connect with no problem.  I also compared the pix configs from the other locations and they are the same.
    LVL 18

    Expert Comment

    Are you saying you have a device on the PIX's LAN subnet, its default gateway points to the PIX itself, and you still cannot reach it from the VPN?  Is the VPN using the same subnet show in your config, or has that changed?  (You mentioned changing to in your original question.)  If so, did you also change the no-nat ACL?

    Author Comment

    yes the server is on the PIX's LAN Subnet, pointed at the PIX ip and I cannot connect.  The VPN pool is the  The config is as it is posted above except I added the ssh authentication which fixed the ssh issue.  The no-nat ACL is as it is posted above.

    Author Comment


    The IP poll was on the LAN subnet, I was trying stuff.  I put it back to the and I can see the server now.  Is there a route I can put in the pix so I can access the other devices w/o changing the gatewa?

    Author Comment

    because I do not have to do that in my other locations.


    Author Comment

    I have done some research.  The other locations do have a route in the router (default gateway) to the VPN device.  All is working.  Thank you for all your help

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    creating route from ASA to 1720 9 36
    IKEv2 VS  SSTP 4 46
    Show ip route - definition 1 48
    Cisco Routing with 2 ISP connection 5 30
    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now