Thanks for your help!!!

That did not seem to fix the issue.

Here is what I added....

access-list VPN_Client_NONAT permit ip 10.10.11.0 255.255.255.0 10.10.101.0 255.255.255.0

nat (inside) 0 access-list VPN_Client_NONAT

I'm still seeing the client sending but I"m not getting anything back. I also am still not seeing any encaps or decaps when using "show crypto ipsec sa".

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.101.1/255.255.255.255/0/0)

current_peer: 196.12.221.4:1025

dynamic allocated peer ip: 10.10.101.1

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 96.10.27.50, remote crypto endpt.: 96.10.241.4

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: ffd97d4c

inbound esp sas:

spi: 0x5da6fcfa(1571224826)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: J&F_VPN

sa timing: remaining key lifetime (k/sec): (4608000/28703)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xffd97d4c(4292443468)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: J&F_VPN

sa timing: remaining key lifetime (k/sec): (4608000/28703)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

have you tried clearing the isa/ips sa's?

kindy issue these commands

clear crypto isa sa

clear crypto ips sa

clear xlate

clear arp

clear local

if you still encountering same issues then

try to remove these 2 lines

crypto map J&F_VPN client configuration address initiate

crypto map J&F_VPN client configuration address respond

Thanks for all your help everyone!

None of the commands you guys recomended have worked. After adding the command "isakmp nat-traversal 20" I am now seeing decaps with the "show crypto ipsec sa" command (see below). I have also noticed when the VPN tunnel is activated on my laptop I can still surf the Internet even though the VPN client shows me as routing "0.0.0.0 0.0.0.0". Any more ideas?

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.101.1/255.255.255.255/0/0)

current_peer: 61.35.228.23:27126

dynamic allocated peer ip: 10.10.101.1

PERMIT, flags={transport_parent,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 204, #pkts decrypt: 204, #pkts verify 204

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 96.10.27.50, remote crypto endpt.: 71.65.238.243

path mtu 1500, ipsec overhead 64, media mtu 1500

current outbound spi: bc23166b

inbound esp sas:

spi: 0xa3a5b81f(2745546783)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 2, crypto map: J&F_VPN

sa timing: remaining key lifetime (k/sec): (4607971/28136)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xbc23166b(3156416107)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 1, crypto map: J&F_VPN

sa timing: remaining key lifetime (k/sec): (4608000/28138)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Hi,

Since you are seeing decrypts, we are definitely making progress after the ISAKMP NAT Traversal command. The packets are making to the Pix Firewall.

What is the IP Address that you are trying to access through the tunnel. Does this host know that it needs to send the packets back to the Pix firewall for the VPN Pool of IP Addresses. If the end host's default route is pointing back to the pix, then there is no need for any additional routing.

Next thing, do you have the NAT 0 command that I had asked you to configure in the pix.

Can you post the current configuration from the Pix, if you have already checked the above two and still have issues with VPN Client connectivity.

Regards,

Arul

*Pls rate if it helps*

Ok, this is weird. I am able to connect via my Windows XP and Vista machine but I can only succesfuly ping a device behind the PIX using the XP machine. I have disabled my local firewall on the Vista machine thinking that might be causing the issue but that did not work. The XP machine fails when I try to go to the internet because my VPN group "CPark" tunnels everything (0.0.0.0 0.0.0.0). The Vist machine is able to browse the Internet even when it is connected via the same group (CPark). Sounds like a Vista issue, any thoughts?

hostname CParkPIX

domain-name example.com

object-group icmp-type ICMP_Types

icmp-object source-quench

icmp-object time-exceeded

icmp-object unreachable

icmp-object echo-reply

access-list outside permit icmp any any object-group ICMP_Types

access-list outside permit ip host x.x.x.x host x.x.x.x

access-list 1 permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 2 permit ip 10.10.11.0 255.255.255.0 10.10.12.0 255.255.255.0

access-list clientvpn permit ip any any

access-list VPN_Client_NONAT permit ip 10.10.11.0 255.255.255.0 10.10.101.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging buffered warnings

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 10.10.11.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPool 10.10.101.1-10.10.101.5 mask 255.255.255.0

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list VPN_Client_NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3389 10.10.11.2 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3390 10.10.11.3 3390 netmask 255.255.255.255 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp server 192.5.41.41 source outside

ntp server 192.5.41.40 source outside prefer

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set J&F esp-3des esp-md5-hmac

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map J&F_VPN 10 ipsec-isakmp

crypto map J&F_VPN 10 match address 1

crypto map J&F_VPN 10 set peer x.x.x.x

crypto map J&F_VPN 10 set transform-set J&F

crypto map J&F_VPN 20 ipsec-isakmp

crypto map J&F_VPN 20 match address 2

crypto map J&F_VPN 20 set peer x.x.x.x

crypto map J&F_VPN 20 set transform-set J&F

crypto map J&F_VPN 30 ipsec-isakmp dynamic dynmap

crypto map J&F_VPN client configuration address initiate

crypto map J&F_VPN client configuration address respond

crypto map J&F_VPN client authentication LOCAL

crypto map J&F_VPN interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp nat-traversal 20

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup CPark address-pool VPNPool

vpngroup CPark dns-server 208.67.222.222 208.67.220.220

vpngroup CPark default-domain example.com

vpngroup CPark split-tunnel clientvpn

vpngroup CPark idle-time 1800

vpngroup CPark password ********

management-access inside

username tony password ipMhl3WOdHCMyFxg

This is taken from another post and if FIXED my issue with Vista.

-------

I've had a similar problem. My issue is that I CAN browse the internet when my vpn is active (not allowed as vpn profile is not configured for local LAN access) and CANNOT ping or access any network resources.

I tried the route delete method and this does work, however in my case when I disconnect the VPN I have to disable and re-enable my wireless connection to re-create the other route was deleted.

I found an alternative solution. In my case when I ran "route print" from a command line after being connected to the VPN, the two routes for 0.0.0.0 were listed in reverse in respect to the METRIC value. I opened the connection properties of both the Cisco VPN Adapter and my wireless connection and modified the metric value in the TCPIP v4 advanced properties. This way, when my vpn is active the VPN Adapter has a lower metric value than the wireless adapter.

I have experienced this issue on all of our vista clients so far. I can't tell whether this is a issue with Vista or the client. XP works great and never had a problem. It would be nice if an engineer could shed some light on why this happens.

Thanks for all the help ajagadee and acsalangad!