vpn established on router but cant hit inside

Unanswered Question
Jul 12th, 2008
User Badges:

hello guys,

another situation....

3725 router --- pix v5.1 --- 4507 ---

i successfully established a remote access vpn to the 3725 router...but i am unable to ping any devices from my laptop nor can i ping my device from the pix...

any thoughts...

thanks in advance...

here are my configs for the router and pix




aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero


ip cef

ip audit notify log

ip audit po max-events 100

no ip domain lookup

ip ssh break-string

no ftp-server write-enable



crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 60


crypto isakmp client configuration group 3000client

key cisco123

pool ippool

crypto isakmp profile VPNclient

description VPN Clients Profile

match identity group 3000client

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond


crypto ipsec transform-set myset esp-3des esp-sha-hmac


crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile VPNclient


crypto map clientmap 10 ipsec-isakmp dynamic dynmap discover



interface FastEthernet0/0

ip address xxxxx

speed 100


crypto map clientmap


interface Serial0/0

bandwidth 512

no ip address

encapsulation frame-relay IETF

no fair-queue

service-module t1 timeslots 1-8

frame-relay lmi-type ansi


interface Serial0/0.1 point-to-point

ip address xxxxx

frame-relay interface-dlci 532


interface FastEthernet0/1

no ip address


duplex auto

speed auto


ip local pool ippool

ip route Serial0/0.1



PIX Version 5.1(4)

access-list 101 permit ip host

ip address outside xxxx

ip address inside

ip address pix/intf2

global (outside) 1 xxxx netmask

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

route outside xxxx 1

route inside 1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
michael.leblanc Sat, 07/12/2008 - 08:24
User Badges:
  • Silver, 250 points or more

Add "reverse-route" to your dynamic crypto map to facilitate a return path to the IPSec client.

It will inject a route into the routing table.

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile VPNclient


szajihsaniatan Sat, 07/12/2008 - 13:19
User Badges:

i added that, but no luck...should i allow that in the pix since it sees it from the outside interface?


This Discussion