Cisco VPN Client v5 to Pix behind another PIX

Unanswered Question
Aug 27th, 2007

We've got several remote locations with PIX 501s. I want to be able to access with the desktop client (on XP Pro) from anywhere. Problem occurs when I'm on behind another PIX- authentication seems to work fine, the gold lock icon locks and I get an ip address on the remote LAN. However, I can't ping or access resources on either the remote or the local LAN. When I'm not behind a PIX, everything works fine. I've got "sysopt connection permit-ipsec" & "isakmp nat-traversal" enabled.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
b.speltz Fri, 08/31/2007 - 12:10

The reason you are not able to access resources on remote LAN is because PIX does not redirects traffic, so the tunnel will get setup but the traffic will not flow. In your case when you connects a vpn client to a PIX behind another PIX, the first PIX does not redirect the traffic to second PIX and so you do not get the connectivity to remote LAN. The PIX cannot be configured for redirecting the vpn traffic. The reason you are not able to get access to local LAN, which probably is behind first PIX, is because the tunnel is to the second PIX and this PIX will not redirect the traffic to the first PIX.

josephconklin Sat, 09/01/2007 - 08:39

No problem, I figured this out. We needed "isakmp nat-traversal" on the remote PIX (with VPN configured) not the local one.


This Discussion