Problem with VPN Client and PIX 7.0(5)

Unanswered Question
Feb 28th, 2007

Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix

sollowing this instructions (

and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.

I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.

This is the configuration i apply


access-list cryptomap-scada extended permit ip any

access-list acl-vpn-sap-remoto extended permit ip any

access-list acl-vpn-sap-remoto extended permit icmp any

access-list acl-vpn-sap-remoto extended permit ip any any

access-list acl-vpn-sap-remoto extended permit icmp any any

ip local pool pool_vpn_sap 172.*.*.1- mask

nat (inside) 0 access-list cryptomap-scada

group-policy VPN_SAP_PED internal

group-policy VPN_SAP_PED attributes

vpn-filter value acl-vpn-sap-remoto

vpn-tunnel-protocol IPSec

username vpnuser password **** encrypted

username vpnuser attributes

vpn-group-policy VPN_SAP_PED

crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac

crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto

crypto dynamic-map vpn-remoto-dymap 7 set reverse-route

crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap

isakmp policy 7 authentication pre-share

isakmp policy 7 encryption 3des

isakmp policy 7 hash sha

isakmp policy 7 group 2

isakmp policy 7 lifetime 43200

tunnel-group VPN_SAP_PED type ipsec-ra

tunnel-group VPN_SAP_PED general-attributes

address-pool pool_vpn_sap

default-group-policy VPN_SAP_PED

tunnel-group VPN_SAP_PED ipsec-attributes

pre-shared-key clavevpnsap


Thanks in Advanced

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ggilbert Wed, 02/28/2007 - 12:23


I looked through the config and lets start from basic. IF you remove the VPN filter from the group-policy are you able to get access to your internal resources using the VPN client?

sh run nat -> Send me this output, please.



Rate this post, if it helps!

Anonymous (not verified) Wed, 02/28/2007 - 12:37

Hi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.


PIX-Principal(config)# show running-config nat

nat (inside) 0 access-list cryptomap-scada

nat (inside) 9 JOsorioPC

nat (inside) 9 GColinaPC

nat (inside) 9 AlfonsoPC

nat (inside) 9 AngelPC

nat (inside) 9 JerryPC

nat (inside) 9 EstebanPC

nat (inside) 9 GiancarloPC

nat (inside) 9 WilliamsPC

nat (inside) 9 PerniaPC

nat (inside) 9 ElvisDomPC

nat (inside) 8 LBermudezPC

nat (inside) 9 HelpDeskPC

nat (inside) 9 OscarOPC

nat (inside) 9 AnaPC

nat (inside) 9 RobertoPC

nat (inside) 9 MarthaPC

nat (inside) 9 NOCPc5-I

nat (inside) 9 NOCPc6-I

nat (inside) 9 CiraPC

nat (inside) 9 JaimePC

nat (inside) 9 EugemarPC

nat (inside) 9 JosePC

nat (inside) 9 RixioPC

nat (inside) 9 DaniellePC

nat (inside) 9 NorimarPC

nat (inside) 9 NNavaPC

nat (inside) 8 ManriquePC

nat (inside) 8 MarcialPC

nat (inside) 8 JAlbornozPC

nat (inside) 9 GUrdanetaPC

nat (inside) 9 RVegaPC

nat (inside) 9 LLabarcaPC

nat (inside) 9 Torondoy-I

nat (inside) 9 Escuque-I

nat (inside) 9 Turbio-I

nat (inside) 9 JoseMora

nat (inside) 8 San-Juan-I

nat (inside) 8 Router7507

nat (inside) 8 NOCPc4-I

nat (InterfaceSAN) 8 MonitorHITACHI-I


Anonymous (not verified) Wed, 02/28/2007 - 12:47

No i haven't, but i have others L2L vpn connections working fine without this command; is necesary only for ra vpn's? and this command could affect the others L2L vpn's?

acomiskey Wed, 02/28/2007 - 12:52

"For traffic that enters the security appliance through an IPSec tunnel and is then decrypted, use the sysopt connection permit-ipsec command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic."

You must have the traffic for other connections allowed in your interface acls?

Anonymous (not verified) Wed, 02/28/2007 - 12:56

Yes; i have acl in other interfaces; if i apply this command, it would affect the others l2l vpns?

acomiskey Wed, 02/28/2007 - 13:02

If you apply the command, all your ipsec traffic will bypass your interface acl's. If you are using your interface acl's to filter your other ipsec traffic, then you do NOT want to apply this command.

Are you restricting other ipsec traffic by interface acl's or vpn-filters?

Anonymous (not verified) Wed, 02/28/2007 - 14:13

Ok, i only filter my l2l vpn traffic with acl's configured for my vpns tunnels, no with the interfaces acls.



access-list cryptomap-credicard extended permit ip host Naiguata

crypto map siemens-scada-map 2 match address cryptomap-credicard

crypto map siemens-scada-map 2 set pfs

crypto map siemens-scada-map 2 set peer XXX.XXX.XXX.XXX

crypto map siemens-scada-map 2 set transform-set vpn-credicard-sha


So i won't have problem with the comand, right?

acomiskey Wed, 02/28/2007 - 18:49

No, no problems. But I'm not sure how any of your tunnel work without it.

Anonymous (not verified) Thu, 03/01/2007 - 14:15

Hi; i just run the command "show runn sysopt" and this is the result


PIX-Principal# show running-config sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec


So i already have permited the ipsec traffic. What else i could check?..

Thanks in Advanced

Kamal Malhotra Wed, 02/28/2007 - 13:46


Please issue the command 'sh run sysopt' and make sure that you have 'sysopt connection permit-vpn'. Another thing is, as Gilbert suggested, please try removing the filter command from under the group policy. Third thing would be to make sure that the ACL on the inside interface has traffic from any permitted to the


Please rate if it helps,



Anonymous (not verified) Thu, 03/01/2007 - 14:30

Hi i try all of your sugestion and it didn't help...

Thanks in Advanced.

Anonymous (not verified) Fri, 03/02/2007 - 05:22

No, i haven't.

kaachary Sun, 03/04/2007 - 05:44


Please enable "isakmp nat-t" on the PIX.

Also, make sure that clients have "Enable Trasparetn Tunneling" checked with IPSec over UDP NAT/PAT selected.



loverprince Wed, 03/07/2007 - 00:44


Please try to add your Inside subnet to the no-nat access list.

make sure that the source is your local subnet and the destination is the remote clients subnet



This Discussion