VPN Connects but cannot access anything

Unanswered Question


Been struggling with this for over a week now, using some of the forum posts and docs to resolve - getting close...so any help is much appreciated.

I'm using a PIX 501 to provide vpn access to my internal network. I've gotten the configuration to the point where I can connect to the VPN from the Internet but once I do so I cannot rdp, map a drive, etc. to any servers. I can ping the outside interface of the pix when connected via VPN, but that's it.

The configuration is:

Internet --> dlink dir-625 (forwarding to pix, inside ip is --> pix (outside is, inside is

When I have a device plugged into the pix directly it gets a 192.168.1.x address and can access everything on 10.1.1.x fine. I don't see anything that idicates errors in the pdm log or in the ipsec logging that I enabled - I used to get "no route from x to y" but I don't see them anymore with the current config which is attached. Thanks for any tips!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jdlampard Wed, 06/25/2008 - 19:17
User Badges:

Looks like you're missing an ACL for traffic that should not be NATed and an associated NAT statement such as.....

nat (inside) 0 access-list nonat

Also, you'll need an ACL to define interesting traffic--the traffic that needs encrypted.

Then these need applied accordingly in your crypto and vpngroup statements.

Hope this helps,


Thanks for your reply!

I *think* I have those statements in there:

This is my acl:

access-list 101 permit ip any

This is the nat statement:

nat (inside) 0 access-list 101

I've checked the command reference and don't see where the acl 101 should be directly referenced in a crypto statement. And the vpngroup statements only reference the acl for the split tunnel line (I've changed that to reference acl 101 - it was 102 in what I posted). Sorry to be so dense but it seems like these statements are in there...Thanks.


This Discussion