PIX 506E VPN Cant Ping

Unanswered Question
JORGE RODRIGUEZ Mon, 05/26/2008 - 17:37
User Badges:
  • Green, 3000 points or more

Does your config have NAT-T enabled? if not please enable it and try, if no joy please post sanitized pix config, it could be your acl no allowing VPN pool network access to your inside network.

PIX(config)#isakmp nat-traversal 20



Yes, tried that and still not working:

Config below:

access-list vpn permit ip host

access-list split_vpn ip host

ip local pool vpnpool mask

crypto ipsec transform-set espvpn esp-des esp-md5-hmac

crypto dynamic-map money 10 set transform-set espvpn

crypto map pixnet 10 ipsec-isakmp dynamic money

crypto map pixnet client configuration address initiate

crypto map pixnet client authentication LOCAL

crypto map pixnet interface outside

isakmp nat-traversal 20

vpngroup vpnclient address-pool vpnpool

vpngroup vpnclient dns-server

vpngroup vpnclient split-tunnel split_vpn

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password *******

JORGE RODRIGUEZ Mon, 05/26/2008 - 18:16
User Badges:
  • Green, 3000 points or more

Any nat statements?

I would add bellow statement, please try and let me know.

nat(inside) 0 access-list vpn

JORGE RODRIGUEZ Mon, 05/26/2008 - 18:53
User Badges:
  • Green, 3000 points or more

One statement I have noticed your vpn pool range, you would normally configure a range .

ip local pool vpnpool mask

I do not think a connected host would get an IP from the pool, when client connect can you issue " show ip local pool" to confirm and address has been porvided by your current vpn pool.

Normally would would configure a range in this syntax.

ip local pool vpnpool 192.168.10.xx-192.168.10.xx

Enabling NAT-T should have resolved it, but wander if your vpn pool is your issue.

JORGE RODRIGUEZ Mon, 05/26/2008 - 19:35
User Badges:
  • Green, 3000 points or more

The host you are trying to ping does it responds to pings from internal LAN.

Note that this is the only host permited in your acl.

husycisco Mon, 05/26/2008 - 21:57
User Badges:
  • Gold, 750 points or more

Hi Jorge, nice new badge m8 :)

Ralema, can you please attach your full sanitized config?

francisco_1 Tue, 05/27/2008 - 14:52
User Badges:
  • Gold, 750 points or more


I suggest next time you uploade your config, remove any passwords / public IP's.


husycisco Wed, 05/28/2008 - 01:51
User Badges:
  • Gold, 750 points or more


Please do below modifications

no vpngroup pixnet split-tunnel 110

vpngroup pixnet split-tunnel 120

fixup protocol icmp

Also I see a statement with "tcp" in your ACL 110 which is your exempt nat ACL. It is not recommended to use port statements in network ACLs for firewall devices, like split tunnels, NATs that it would impact the L3 processing of firewall that it will also have to process the port portion of packets during rouitng.

Also you know that you ve permit your VPN clients to be able to establish connection with only and , so try pinging them. Also make sure no software firewall is enabled, If enabled, modify the exceptions according to that (Windows firewall exceptions by default permit traffic from same subnet! That will drop VPN client connections)


JORGE RODRIGUEZ Wed, 05/28/2008 - 05:52
User Badges:
  • Green, 3000 points or more

Huseyin good to hear from you friend!!

Ralema, do as Huseyin suggested you'll be running in no time.

husycisco Thu, 05/29/2008 - 02:15
User Badges:
  • Gold, 750 points or more

nat traversal suggestion by jorge just fits the issue but you have it.

Couple of things to check,

Make sure the PC, which connects VPN and acquires 192.168.10.x address, doesnt have an IP address locally assinged to its NIC within same subnet of 192.168.10.x

Try connecting via x port instead ping to check connectivity. For example enable remote host for Remote Desktop, run netstat -an and make sure 3389 is listening, then from VPN client, run telnet remoteclientIP 3389 and wait to get a blank screen.

Right-click VPN icon in right-bottom, click statistics then route details tab. Make sure the clients you try to reach are listed in right pane.

Save your config and reload firewall

In clientside, open up VPN Client Gui, Click log then click enable. Then click log window. Try pinging somewhere, then paste here the logs you see in that window

Run ASDM and enable its builtin syslog, catch some syslogs related to the traffic and paste here


Farrukh Haroon Tue, 06/10/2008 - 18:22
User Badges:
  • Red, 2250 points or more

Try 3 things,

1) Make sure the VPN Client has IPSEC Over UDP/NAT-T enabled, its there by default, but someone could have removed the check there.

2) Are you sure you trying to RDP to or (FIFTEEN) and not Because is not in your Split Tunnel ACL.

3) If you do 'route print' on the Windows box after the VPN connection, do you see are directed through VPN tunnel?



Farrukh Haroon Wed, 06/11/2008 - 17:54
User Badges:
  • Red, 2250 points or more

Does it still not work? Does the VPN Client tell you that Transparent Tunneling is active, ON the status tab?




This Discussion