Cisco PIX 501 VPN Connection No LAN Access and No SSH

I have configured my pix 501 for vpn access.  I am trying to connect using cisco vpn client  The client makes the VPN connection sucessfully but I cannot access anything at the remote site.  I have tried changing the ip pool to but still nothing.  Also I cannot ssh into the pix.  I get a password prompt and put in the password that I am positive is correct and it will not work.  I am using the username pix for the ssh connection.  See config below.


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xx encrypted
passwd xx encrypted
hostname xxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list NONAT permit ip
access-list outside_access_in permit icmp any interface outside
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool XXXVPN
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0 0
access-group outside_access_in in interface outside
route outside XXX.XXX.XX.XX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set XXXSET esp-3des esp-md5-hmac
crypto dynamic-map XXXDMAP 10 set transform-set XXXSET
crypto map XXXMAP 10 ipsec-isakmp dynamic XXXDMAP
crypto map XXXMAP interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup XXXVPNGROUP address-pool XXXVPN
vpngroup XXXVPNGROUP dns-server
vpngroup XXXVPNGROUP default-domain
vpngroup XXXVPNGROUP split-tunnel NONAT
vpngroup XXXVPNGROUP idle-time 1800
vpngroup XXXVPNGROUP password ********
telnet inside
telnet timeout 5
ssh outside
ssh timeout 30
console timeout 0
username admin password XXX encrypted privilege 15
terminal width 80

Open in new window

Who is Participating?
John MeggersNetwork ArchitectCommented:
For the VPN, do the devices you're trying to reach know where the VPN address block is, meaning do any layer-3 devices have a route to it?  If the devices are on the immediate LAN subnet off the PIX, what is the default gateway they are using?

For SSH, I don't see any authentication configured.
dupont2406Author Commented:
I dont remember ever having to add authentication for ssh.  Normally use the username pix and enable password.  Can you tell me how to do that.

there are no routes back to the pix.  The lan devices are using a router for the default gateway
John MeggersNetwork ArchitectCommented:
For SSH, the same way you're already doing it for telnet:

aaa authentication ssh console LOCAL

So it sounds like you have another router behind the PIX, and devices attached to that are using the router as their default gateway?  Is the router using the PIX as its default gateway?  If you have a subnet on the other side of a routing device, you need to either add a static route on the PIX (route inside <subnet> <mask> <router IP address>) or you need to enable a dynamic protocol such as RIP or OSPF. The commands are different depending on what protocol you're running.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

dupont2406Author Commented:
i tried setting the gateway on one server to point to the PIX.  still no connection.  Also I have 3 other locations with the exact same equipment configured identical to this one and I am able to connect with no problem.  I also compared the pix configs from the other locations and they are the same.
John MeggersNetwork ArchitectCommented:
Are you saying you have a device on the PIX's LAN subnet, its default gateway points to the PIX itself, and you still cannot reach it from the VPN?  Is the VPN using the same subnet show in your config, or has that changed?  (You mentioned changing to in your original question.)  If so, did you also change the no-nat ACL?
dupont2406Author Commented:
yes the server is on the PIX's LAN Subnet, pointed at the PIX ip and I cannot connect.  The VPN pool is the  The config is as it is posted above except I added the ssh authentication which fixed the ssh issue.  The no-nat ACL is as it is posted above.
dupont2406Author Commented:

The IP poll was on the LAN subnet, I was trying stuff.  I put it back to the and I can see the server now.  Is there a route I can put in the pix so I can access the other devices w/o changing the gatewa?
dupont2406Author Commented:
because I do not have to do that in my other locations.

dupont2406Author Commented:
I have done some research.  The other locations do have a route in the router (default gateway) to the VPN device.  All is working.  Thank you for all your help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.