PIX and VPN group Problem

Unanswered Question
Jan 18th, 2008
User Badges:


I have attached the config for our PIX firewall. Any tips would be appriciated.

The problem I am having is with remote clinets and the vpngroup setup on the PIX. When a client vpn's to the PIX using the vpngroup login and password, they are assigned a 192.168.99.xx IP address. The internal IP subnet for all devices behind the PIX is 192.168.0.xxx. The VPN clinets can access all devices on the 192.168.0.xx subnet, but I need to be able to allow the clinets to access other devices on our network that are outside the PIX. Example, I have several nodes that are assigned 192.168.20.xxx IP address that are outside the PIX. None of the vpngroup clients can access this subnet or any other subnet besides the internal PIX block. From any device or server behind the PIX with a 192.168.0.xx IP, I can access everything just fine.

Also, when using the Cisco PIX client, I have noticed that the machine that is VPN to the PIX, is not using the PIX as the default gateway to the outside world. Outside traffic is still routed over the clinets primary internet connection. I need to have all traffic route through the PIX. Is this possible?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Fri, 01/18/2008 - 08:25
User Badges:
  • Cisco Employee,

You current configuration has split tunnel configured and you are permitting the clients to access only network. If you want to allow clients to access additional networks, please do add the appropriate networks to the split tunnel and nonat statements. Also, make sure that your internal networks knows that they need to route the packets to the pix for traffic destined to, the pool of ip addresses for the VPN Clients.

vpngroup vpn3000-all split-tunnel nonat

access-list nonat permit ip

Since you have split tunnel configured, all networks configured under split tunnel will e routed to the pix and all other traffic will follow the clients internet connection.

Now, to answer your second part of the questions, if you disable split tunnel and tunnel all traffic to the pix, then you need 7.x code or higher on the pix to support what is called intra-interface and send the traffic to the internet and your LAN. Please refer the below URL for details:


In your case, if you cannot upgrade to 7.x, then you need another router or firewall in your network that directs traffic for the VPN Client Pool.

Let me know if it helps.



* Please rate if it helps *

Jesse Hottle Fri, 01/18/2008 - 11:35
User Badges:


I added the following to my nonat list:

access-list nonat permit ip

I also, created a route pointing network to the outside interface of my pix. I still can not reach anything. I do not think the outside interface is allowing the replies to the network to pass.


ajagadee Fri, 01/18/2008 - 11:46
User Badges:
  • Cisco Employee,

Couple of things:

1. Is it or I guess thats a typo.

2. If it is, Did you have the VPN Client disconnect and connect again to see if the split tunnels are passed on correctly.

2. Does the know that they need to route the packets destined for to the pix.

3. Can you also post the outputs of "show crypto ipsec sa" when you are not able to ping the

4. Also, dont remember to do a clear xlate after making the changes.




This Discussion