PIX Remote Access VPN with Cisco VPN Client

Unanswered Question
Mar 26th, 2007
User Badges:

I've setup a remote access VPN and everything seems to connect just fine, and I receive an IP address from the address pool, however, I cannot access ANY resources on the network. The only thing I can ping is myself.

Also, I'm not getting a default gateway on the VPN adapter once I connect to the VPN. A gateway shouldn't be needed, as I'm trying to access resources in the same subnet as the ip pool, but I should still be able to specify a gateway.

I've been reading on here that it assigns the lowest IP in the subnet of the IP pool, but can I specify a gateway instead?

Here is my relevant config..

ip local pool vpnpool mask

global (outside) 1 interface

nat (inside) 1 0 0

route inside x.x.x.x 1

sysopt connection permit-ipsec

service resetinbound

crypto ipsec transform-set ErieSet esp-3des esp-md5-hmac

crypto ipsec transform-set Tunnel-Set-Info esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ITVPNset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set ErieSet

crypto dynamic-map ITVPNmap 10 set transform-set ITVPNset

crypto map ErieMap 10 ipsec-isakmp dynamic dynmap

crypto map ErieMap client configuration address respond

crypto map ErieMap client authentication RADIUS

crypto map Eriemap 10 ipsec-isakmp dynamic ITVPNmap

crypto map Eriemap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup WestTownVPN address-pool vpnpool

vpngroup WestTownVPN dns-server

vpngroup WestTownVPN wins-server

vpngroup WestTownVPN default-domain mydomain.com

vpngroup WestTownVPN split-tunnel UserVPN

vpngroup WestTownVPN idle-time 1800

vpngroup WestTownVPN password ********

telnet inside

telnet timeout 20

ssh outside

ssh timeout 5

console timeout 0

terminal width 80

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rselmecz Tue, 03/27/2007 - 00:49
User Badges:


What is in the UserVPN access-list?

This determines what should go through the tunnel from the client.

Also what is the exact routing and NAT 0 config?

Is there any ?

mfreijser Tue, 03/27/2007 - 03:51
User Badges:
  • Bronze, 100 points or more

You didn't exclude the traffic to the VPN Client from the NAT-process. It is also a best-practise to assign a different subnet for your VPN Clients rather than the same as your inside-network.

You need to add the following commands to your configuration:

access-list nonat permit ip

nat (inside) 0 access-list nonat

Please rate if the post helps!




This Discussion