VPN Client not connecting to the branch office

Unanswered Question

Hello folks -

We have a Cisco PIX 515E (6.3) that users VPN into. The PIX is at our main site, and we have 2 branch sites connected to the main site via point-2-point leased lines. Our main site address is 10.0.0./24, and one of our branch sites address is When users VPN into the PIX, they can connect to everything at the main site but nothing at the branch site. There is a static route configured on the PIX on how to get to the branch site.

Any ideas on how to get this resolved?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kamal Malhotra Tue, 03/13/2007 - 02:12


If I have understood correctly then you want a VPN client to connect to the main site and then be able to access the main site as well as remote site. Probably what you are missing is a route for the VPN client pool on the remote site. Please also check the nat bypass settings on the remote site device. If it does not resolve your problem then please send me the running config of both the PIX at the main site and the device at the remote sitec (if its a Cisco device). I would also appreciate if you can send a topology diagram.


*Please rate if it helps,



kaachary Wed, 03/14/2007 - 02:26

Yes, that's correct. PIX running 6.x code is not able to redirect traffic on any of its interface.

You might have to upgrade the code to 7.X.


Kamal Malhotra Wed, 03/14/2007 - 17:16


To my understanding, the router does not have a VPN tunnel to the outside interface of the PIX. Rather it is reachable via the inside interface of the PIX. something like :

Client----Internet---PIX---router---a network

What we are experiencing is routing issue. If my understanding is correct then issue the following commands on the PIX and then try to connect the client to the PIX and access :

access-list SplTunnel permit ip any

access-list NoNat permit ip


*Please rate if it helps,



kaachary Thu, 03/15/2007 - 06:42


The setup is possible without upgrade, as you are not u-turning the traffic from the same interface.

First of all, I couldn't find any route on the PIX to reach

route inside

Also, I guess there's a another router connected to the PIX inside interface. THe router's ip might be

You need to put following routes on this router:

ip route

Also, the split tunnel ACL and nonat ACL would look like this :

access-list SplTunnel permit ip

access-list NoNat permit ip

That should do it !

*Please rate if helped.


soklamarhy Fri, 03/16/2007 - 07:28

I am having this very similar issue with our network. I have Pix ver. 6.3(5). My VPN clients cannot access ping the router to access the remote site which is

I have the line access-list splittunnel permit ip host host

nonat permit

everyone inside the firewall are able to ping

any thoughts why VPN clients aren't able to ping which is the router to access the branch site.


This Discussion