PIX 501 simple setup

Unanswered Question
Dec 3rd, 2008

I am trying to setup my PIX 501e and i am having trouble. i'm trying to set it up as simple as possible. authentication to be done local on the PIX, just one user is fine. no AAA server. once in, i want to permit all ports for all traffic. i think i have it setup but i cant seem to log into it, is there anyone that can help me? I can post my show command if helpful.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
ajagadee Wed, 12/03/2008 - 10:57


Can you post the configuration along with information on how you are trying to log in. That is through telnet, SSH, console, VPN, etc.



cworsham80 Wed, 12/03/2008 - 11:12

I currently have two ASA 5505's in place and to VPN into those i have been using the cisco VPN client I would love to be able to use this same client to log into my PIX network as well but not manditory, i can get the vpn client to connect to my PIX, it authenticates on the group level, prompts for user info, but just remains at contacting security gateway until it times out. I have been programming (or call myself programming) the PIX using the PDM with an old win 2000 box. hope this is what you were looking for. Any and all help is greatly appreciated

cworsham80 Wed, 12/03/2008 - 11:12

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname catalystpix

domain-name catcomtec.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 47

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


object-group service VPN tcp-udp

port-object eq pim-auto-rp

port-object eq echo

port-object eq kerberos

port-object eq discard

port-object eq sunrpc

port-object eq domain

port-object eq tacacs

port-object eq talk

object-group network VPN1

description IP Addresses of VPN user


object-group network Everyone


access-list 101 permit tcp any host eq pptp

access-list 101 permit tcp any host eq netbios-ssn

access-list 101 permit udp any host eq netbios-ns

access-list 101 permit udp any host eq netbios-dgm

access-list 101 permit gre any host

access-list 101 permit tcp any eq www any eq www

access-list inside_outbound_nat0_acl permit ip object-group Everyone object-group VPN1

access-list inside_outbound_nat0_acl permit ip any

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_access_in permit icmp any any unreachable

pager lines 24

logging timestamp

logging trap informational

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_POOL

pdm location outside

pdm location inside

pdm location outside

pdm location outside

pdm location inside

pdm location inside

pdm location outside

pdm group VPN1 outside

pdm group Everyone inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0 0

access-group outside_access_in in interface outside

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server VPN protocol radius

aaa-server VPN (inside) host catalyst timeout 15

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

cworsham80 Wed, 12/03/2008 - 11:13

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES-256-MD5

crypto dynamic-map outside_dyn_map 21 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication VPN

crypto map outside_map interface outside

crypto map inside_map client authentication VPN

crypto map inside_map interface inside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup demo address-pool VPN_POOL

vpngroup demo idle-time 1800

vpngroup demo password ********

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group catalyst_vpn accept dialin pptp

vpdn group catalyst_vpn ppp authentication pap

vpdn group catalyst_vpn client configuration address local VPN_POOL

vpdn group catalyst_vpn pptp echo 60

vpdn group catalyst_vpn client authentication local

vpdn username test password *********

vpdn username demo password *********

vpdn enable outside

vpdn enable inside

dhcpd address inside

dhcpd dns 206.x.x.97

dhcpd lease 604800

dhcpd ping_timeout 750

dhcpd domain catcomtec1.com

dhcpd enable inside

username demo password xxx encrypted privilege 15

terminal width 80


: end

ajagadee Wed, 12/03/2008 - 11:52


vpngroup demo address-pool VPN_POOL

vpngroup demo idle-time 1800

vpngroup demo password ********

If you are using the above vpngroup, that is Group - demo and password - ***** and VPN Client 5.0, then you should not be prompted for a username/password since there is no user authentication configured.

Can you enable "isakmp identity address" on the Pix and try connecting using the VPN Client 5.0.

If you still having issues, can you post the outputs of "deb cry is" and "deb cry ips" from the pix and logs from the VPN Client.



*Pls rate if it helps*

cworsham80 Wed, 12/03/2008 - 12:24

I appreciate your willingness to work with me on this, just not getting very far. i put in the three commands you requested into the PIX and the only feedback that i got was "this command has been sent to the firewall" for each of the entries. I am also pasting what i have in the logs window of my client, which i'm afraid isn't much. its just not making good sense to me. am i making this harder than it has to be? I would like to be able to use the client with the group authentication, user and password both "demo" no further prompts would be nice.

Cisco Systems VPN Client Version

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3

ajagadee Wed, 12/03/2008 - 12:41


Can you remove the below command:

crypto map outside_map client authentication VPN

and configure this one and test the connection again.

crypto map outside_map client authentication LOCAL



*Pls rate if it helps*

cworsham80 Wed, 12/03/2008 - 13:02

that helped a lot, it will now let me connect from my pc behind the ASA out to the internet then into the PIX i get authenticated there and get the local ip address of which is the beginning of my ip pool. so far so good. behind the pix i have a machine sitting at I cannot ping from my .130 address to the .15 address. how can i open up the doors so that i am seen as being local to the .15 box?

ajagadee Wed, 12/03/2008 - 13:14


Thanks for the update and rating.

I dont see anything obvious that will block traffic between the VPN Client and the subnet behind the Pix.

Is the a valid host on the network. Can you ping this ip address from the Pix itself. Also, what is the default gateway of this host. And, can you try pinging a different ip address via the vpn client and see if it works. Maybe address, the first one in your DHCP Pool.

Also, if everything looks good, try doing a "clear xlate" and then try the connectivity again through the tunnel.



*Pls rate if it helps*

cworsham80 Wed, 12/03/2008 - 13:36

the machine behind the pix (formerly .15) i have now made DHCP and it was assigned from the PIX. my outside connection coming in is still from the, once connected I can ping the outside address of the pix ( but cannot ping the inside address ( nor can i ping the machine behind the pix (

from the .40 machine, i can ping (inside of pix) but not outside or the .130 address.

from the pix ping command, i can ping but not, even though i can go into the monitor feature of the PDM and see there is one tunnel in place.

am i running into something stupid because the machine that is getting a vpn address of has a local address behind the ASA of All subnets for all 192 addresses are using


This Discussion