Unable to get to internal resources after successfully tunneling-in!!

Unanswered Question
Nov 16th, 2007
User Badges:

I have configured an IPSec remote access VPN connection and I'm successfully able to establish the tunnel but I can not get to any of my LAN internal

resources. I'm able to ping PIX's internal interface ( and even telnet to it from the VPN client, once logged into the PIX I'm able to ping all /24 internal resources from inside interface but wont work from the VPN client ( /24)

Heres the scenario

INTERNET---->1800SERIES--->PIX515e-->LAN( /24)

1800 SERIES 201.190.x.9 /30

PIX515e 201.190.x.10 /30

Below is a clean run-config regarding mostly the VPN statement for ease of reading....

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

enable password T5Gug97KpLnrmPci encrypted

passwd NHrPq0iSfkVBUBUb encrypted

hostname PIX515e

domain-name tecmant.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

!!! ACL for split tunneling

access-list 101 permit ip

!!! ACL form interesting traffic

access-list 102 permit ip

access-list 102 permit icmp echo

access-list 102 permit icmp echo-reply

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 201.190.X.10

ip address inside

ip address DMZ

ip audit info action alarm

ip audit attack action alarm

!!! Pool of addresses to be assigned to Remote clients

ip local pool VPNPOOL

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 0 0

nat (inside) 1 0 0

route outside 201.190.X.9 1

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

!!!Allow IPSec to pass through

sysopt connection permit-ipsec

!!! IKE phase 2 negotiation

crypto ipsec transform-set TECMANT-VPN esp-3des esp-sha-hmac

crypto dynamic-map VPN-MAP 10 set transform-set TECMANT-VPN

crypto map STATIC-VPN-MAP 10 ipsec-isakmp dynamic VPN-MAP

crypto map STATIC-VPN-MAP interface outside

!!!Allow ISAKMP prot on outside int.

isakmp enable outside

isakmp identity address

!!!IKE phase 2

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

VPN Group Policies

vpngroup VPN-TECMANT address-pool VPNPOOL

vpngroup VPN-TECMANT dns-server

vpngroup VPN-TECMANT split-tunnel 101

vpngroup VPN-TECMANT idle-time 1800

vpngroup VPN-TECMANT password ********

telnet timeout 5

ssh inside

ssh inside

ssh inside

ssh timeout 60

management-access inside

console timeout 0

!!! DHCP server enable for internal clients

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80


: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ajagadee Fri, 11/16/2007 - 09:14
User Badges:
  • Cisco Employee,

You need NAT 0 configuration to bypass NAT for vpn clients.

nat (inside) 0 access-list 110

access-list 110 permit ip

This should solve your IP Reachability issue from the VPN Clients.

Also, I am curious to know why you have this statement in the configuration.

nat (outside) 1 0 0



* Please rate helpful posts *

glenn.guzman Fri, 11/16/2007 - 16:47
User Badges:

Thx a bunch!! Working just fine....


about the nat (outside) 1 0 0 statement... thats a typo.. i forgot to exclude that on the running-config i posted...

ajagadee Sun, 11/18/2007 - 08:08
User Badges:
  • Cisco Employee,

Thanks for the update and rating.




This Discussion