PIX 501--Software VPN connection, client can't reach LAN

Unanswered Question
Feb 26th, 2008

Dear Netpros,

I have a PIX 501 which I have setup to accept connections via Cisco VPN client. I am able to connect and receive an IP from the NEW_VPN_POOL, but I can't reach hosts on the LAN I think my access rule 201 needs to be modified but I am not sure. Could you look at my config and suggest what I may need to add? Many thank yous, Julian

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname firewall

domain-name fw.com

clock timezone EST -5

clock summer-time EDT recurring


access-list inside_outbound_nat0_acl permit ip any

access-list inside_outbound_nat0_acl permit icmp any any

access-list 102 permit ip

access-list pub [permit a bunch of stuff]

access-list 101 permit ip any any

pager lines 24

logging on

logging console errors

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool NEW_VPN_POOL

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 102

nat (inside) 1 0 0

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

access-group pub in interface outside

conduit permit icmp any any

route outside gw 1

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 11 set transform-set myset

crypto map mymap 11 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp client configuration address-pool local NEW_VPN_POOL outside

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption des

isakmp policy 11 hash md5

isakmp policy 11 group 1

isakmp policy 11 lifetime 86400

isakmp policy 22 authentication pre-share

isakmp policy 22 encryption des

isakmp policy 22 hash md5

isakmp policy 22 group 2

isakmp policy 22 lifetime 86400

vpngroup CSH_OFFSITE address-pool NEW_VPN_POOL

vpngroup CSH_OFFSITE dns-server

vpngroup CSH_OFFSITE wins-server

vpngroup CSH_OFFSITE default-domain password

vpngroup CSH_OFFSITE idle-time 1800

vpngroup CSH_OFFSITE password ********

telnet inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn enable outside

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
julianunderwood Wed, 02/27/2008 - 04:49

I solved my own problem with this command:

isakmp nat-traversal [natkeepalive]




This Discussion