vpn client conects but cannot access internal network

Unanswered Question
Mar 13th, 2007


i have configured the client vpn on pix 515E and the user can connect successfully but they don't get any internal access to any servers also cannot browse internet.

my config is attached

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kamal Malhotra Tue, 03/13/2007 - 06:15


The access-list acl_inside does not have traffic permitted from inside to the pool range. Please get that corrected. As far as Internet access is concerned,we'll have to further look into it.


Please rate if it helps,



zulqurnain Tue, 03/13/2007 - 22:07

hello kamal,

i tried by allowing even everything on the acl_inside yet same results.

oabduo983 Tue, 03/13/2007 - 11:27


Make sure you have a route inside statment to the place where you want to reach. Also make sure you are connecting to the VPN without going through a NAT device (use NAT-Transparent feature to fix this problem, but before that see what happens if you connect to it throu a dialup connection as you will be getting into it without translation)...

Please rate if this helps

Osama Abduo

acomiskey Tue, 03/13/2007 - 11:43

these are not correct...the source is wrong, should be your inside network which you would like to cross the tunnel.

access-list nonat permit ip

access-list split-vpn permit ip

zulqurnain Tue, 03/13/2007 - 22:16


you mean it should be like

access-list nonat permit ip

acomiskey Wed, 03/14/2007 - 05:50

You want vpn clients to access inside servers. So you need to specify the correct nat exemption. You can do this by host or by subnet.

access-list nonat permit ip


access-list nonat permit ip host

zulqurnain Wed, 03/14/2007 - 14:32


with respect, if you look at my config this is what i had done

access-list nonat permit ip

so what's wrong now?

acomiskey Wed, 03/14/2007 - 15:22

Well, the source looked wrong, the mask doesn't match. Do you want or do you want a single host, ?

zulqurnain Wed, 03/14/2007 - 22:07

well it would be good if i allow the subnet instead of single host.

i am running out of options here so please everyone, i need help.

zulqurnain Thu, 03/15/2007 - 01:31

when ever i connect vpn client i am receving this message on my syslog

# Generated by SysLog Monitor

# Version 8.0.19

# 3/15/2007 11:19:14 AM


# Syslog Monitor

Date/Time Hostname Priority Message

"3/15/2007 11:10" Info "Jan 03 1993 23:27:43: %PIX-6-110001: No route to from "

"3/15/2007 11:10" Info "Jan 03 1993 23:27:32: %PIX-6-110001: No route to from "

"3/15/2007 11:10" Info "Jan 03 1993 23:27:22: %PIX-6-110001: No route to < outside gateway IP for PIX> from "

even though i have added the route

also i read in one of the documents that it all has to do with the way the PIX processes traffic (i.e. it's order of operation). The most important thing to remember about the PIX is that one of the first things it attempts to do is NAT, even before it looks at the routing table. This message will typically appear if the PIX has a descrepancy between the NAT table and the routing table.

meaning configuration output has missing information about your NAT translations (globals, nats, statics). This is most likely the section of the configuration where the problems are. Yes, even though the logs say it's a routing problem, it's not. It is NAT.

so help would be really great

acomiskey Thu, 03/15/2007 - 06:12

My point is, you have this

It doesn't make sense and I'm surprised the pix even took it. The mask does not match! Not sure on your routing errors though. What is, your client ip?

zulqurnain Thu, 03/15/2007 - 06:32

yes its my client ip and as for , let me tell you with respect that i changed my ip's as i was posting them to public.

acomiskey Thu, 03/15/2007 - 06:42

Ok, no harm done. So you do have something like

zulqurnain Fri, 03/16/2007 - 11:08


okay lets just imagine i have in my network hope this will help you understnad my config more clarly

acomiskey Fri, 03/16/2007 - 11:17

If is your vpn client subnet, you should not have route , as you have stated you entered above.

oh, and not to be picky, but it's much harder to troubleshoot when you don't have all the right info. The mask doesn't match for this either


This Discussion