cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
556
Views
0
Helpful
8
Replies

VPN Client to PIX 7.2

ljohnson21
Level 1
Level 1

I am new to PIX and I would like to set up a connection so I can connect to PIX over the internet. I have the client software. What is a basic configuration can I use on the pix to make this work.

8 Replies 8

Kamal Malhotra
Cisco Employee
Cisco Employee

Hi,

Try the following document :

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a008060f25c.shtml

HTH,

Please rate the post if it helps,

Regards,

Kamal

I was able to set up the client vpn connection but once I have a connection I am not able to connect to any devices on the inside network. The client also gets a default gateway which is the same as the ip address. Is this normal? I am only able to ping the inside interface of the PIX but no other devices in the network. Any help would be greatly appreciated.

Thanks,

L

Hi,

Enable "isakmp nat-t" on the PIX.

Hope this helps !!

-Kanishka

Hi Kanishka,

I tried this command but it did not help. the host uses it's own ip address as the default gateway. Is this normal? How can I change this?

Thanks,

If you do not have split tunneling enabled, the client will always have the pool iip as the default gateway. Its normal.

I would like to check the NAT rules on the PIX, if you can post them.

-Kanishka

The inside network is 1.1.1.0/24. Below are the ACL's and NAT rules.

ip local pool remotevpn 1.1.1.245-1.1.1.246 mask 255.255.255.252

access-list INSIDE_nat0_outbound extended permit ip any 1.1.1.244 255.255.255.252

global (OUTSIDE) 1 interface

nat (INSIDE) 0 access-list INSIDE_nat0_outbound

nat (INSIDE) 1 1.1.1.0 255.255.255.0

access-list OUTSIDE extended permit ip any any

access-list INSIDE_access_in extended permit ip any any

access-list OUTSIDE_access_in extended permit ip any any

access-group INSIDE_access_in in interface INSIDE

access-group OUTSIDE_access_in in interface OUTSIDE

access-group OUTSIDE out interface OUTSIDE

crypto isakmp nat-traversal 20

Thanks,

L

Hi,

Its not recommneded to have pool of the same subnet as the inside network as it will lead to routing issues.

Change the pool to any other subnet and also make the corresponding changes in the NAT 0 ACL.

Let me know if this helps.

-Kanishka

kaachary
Cisco Employee
Cisco Employee
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: