Hi, I have a couple of 501s installed with the same config but I can't get vpnclient to connect to neither PIX. I can configure a site-site tunnel, or client vpn access but not both at the same time.

1st any pointers that I need to look for?

2nd should I move to ASA5505 instead?

/Peter

You can have a remote access vpn and a lan-to-lan tunnel at the same time. What you cannot do with your 501 is have remote access clients connect to the vpn and then bounce off the pix and cross the lan-to-lan tunnel. If you are just trying to get vpn clients to connect to the pix, then you must have a configuration problem. If you are trying to do what original poster was trying to do, you would also not be able to without version 7, which your 501 doesnt support.

Thanks for your reply, no I wasn't really getting that far as the original poster. I can't get the basic config to work. Whenever I add the nat (inside) 0 the lan to lan tunnel goes down. I'm attaching my running config and the vpnclient config I'm tryin to invoke.

Add your new nat exempt traffic to your existing nat 0 acl instead of creating a new one.

access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 90 permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list 90

Thanks!. Same applied to crypto map. Now I can connect with the vpn-client and keep the existing lan to lan tunnel up, but can't get any data through to the vpn-client. f.ex. udp port 53 for dns lookups. Connection is being built, and then teardown - but I have no responses to the client. I'm either missing something obvious in my acl or ???

I'm attaching current config, pls have a look.

cheers / Peter

I think I should have mentioned this before but you should not use the same access-list for your crypto acl and your nat 0 acl. Do this. Leave acl 90 for your crypto acl for your lan to lan tunnel. Then create a new acl for your nat 0 traffic which will include lan to lan and remote vpn traffic.

access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 log 4

no access-list 90 permit ip 192.168.0.0 255.255.255.0 any log 4

no nat (inside) 0 access-list 90

access-list 95 permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 95 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 95

let me know if that works, please rate if these help. Yes, and thanks Kanisha, the split tunnel acl should change as well.

AS per your configuration, you are using the same ACL for nonat , split tunnel and crypto map (site to site) . This will never work, as all the client traffic is now being sent tot the site to site tunnel.

You have to make the following changes for this to work :

no crypto map toLund interface outside

no access-list 90

access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list split permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto map toLund 20 match address 90

vpngroup Petena split-tunnel split

no crypto map toLund 10 ipsec-isakmp dynamic outside_dyn_map

crypto map toLund 100 ipsec-isakmp dynamic outside_dyn_map

crypto map toLund interface outside

That would do it !!

*Please rate if helped.

-Kanishka

thank you both guys, this did the trick.

/Peter

Glad to know it worked. How abt a rating ;-)