deadline approaching need help with PIX501e

Unanswered Question
Dec 4th, 2008

I am able from an external pc, successfully connect and authenticate locally with my PIX using the Cisco VPN Client software, shows that everything is connected. I am assigned a local IP address of which is the first in my vpn pool. the internal ip of the pix is, I also have a pc behind the firewall with an ip of, first in its pool. I cannot, however, ping from to nor I can however ping in a single hop the outside IP address of the PIX. From behind the pix i can only ping the inside ip but not outside or to the vpn'd machine. please help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Thu, 12/04/2008 - 14:08


I thought I answered this in the other thread, I guess it did not get posted.

Anyways, it is my understanding the above set up will not work because the VPN Client Local subnet is the same as the remote subnet that you are trying to access through the IPSEC Tunnel. If you look at the routing table on the OS, the subnet shows as a local route and the packets will not be sent across the tunnel.



cworsham80 Fri, 12/05/2008 - 09:14

thnx, I reset the PIX to factory defaults and started over on this thing changed my inside addressing to i have put back in all the line items i could make sense of. here's what i have so far, i can connect to the vpn, authenticate locally but unable to flow traffic from a pc behind the pix to/from a pc that vpns in. i really need to get this thing up today if at all possible. right now its starting to look like its gonna be a long day

cworsham80 Fri, 12/05/2008 - 09:16

Result of firewall command: "show run"

: Saved


PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname catalystpix


clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 47

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


object-group service VPN tcp-udp

port-object eq pim-auto-rp

port-object eq echo

port-object eq kerberos

port-object eq discard

port-object eq sunrpc

port-object eq domain

port-object eq tacacs

port-object eq talk

object-group network VPN1

description IP Addresses of VPN user


object-group network Everyone


access-list inside_outbound_nat0_acl permit ip any

access-list outside_cryptomap_dyn_20 permit ip any

access-list 101 permit tcp any host eq pptp

access-list 101 permit tcp any host eq netbios-ssn

access-list 101 permit udp any host eq netbios-ns

access-list 101 permit udp any host eq netbios-dgm

access-list 101 permit gre any host

access-list 101 permit tcp any eq www any eq www

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_cryptomap_dyn_40 permit ip any

pager lines 24

logging timestamp

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn

pdm location outside

pdm location inside

pdm location outside

pdm location inside

pdm location inside

pdm location outside

pdm location outside

pdm location inside

pdm group VPN1 outside

pdm group Everyone outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0 0

access-group outside_access_in in interface outside

route outside 1

cworsham80 Fri, 12/05/2008 - 09:16

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server VPN protocol tacacs+

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup demo address-pool vpn

vpngroup demo dns-server

vpngroup demo default-domain

vpngroup demo idle-time 1800

vpngroup demo password ********

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group demo ppp authentication mschap

vpdn group demo ppp encryption mppe 40

vpdn group demo client configuration dns

vpdn group demo client accounting VPN

vpdn group demo client authentication local

vpdn group demp pptp echo 60

vpdn username demo password *********

vpdn enable outside

vpdn enable inside

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username demo password XjFBA5DVYjFLLcDW encrypted privilege 15

terminal width 80


: end

ajagadee Fri, 12/05/2008 - 10:58


Enable this command on the pix"

isakmp nat-traversal

and try testing again. If still have issues, do post the output of "show crypto isakmp sa" and "show crypto ipsec sa" along with the IP Address that you are trying ping.



*Pls rate if it helps*

cworsham80 Fri, 12/05/2008 - 11:36

same thing. from outside coming into the pix i get assigned ip Behind the firewall I have a PC with addy I cannot ping in either direction one to another. from .2.60 i can ping .2.1 from 2.100 i cannot. I havea attached the results from the commands as well as a recent show run

JORGE RODRIGUEZ Fri, 12/05/2008 - 14:23

Hi Chris,

Is there any reason why you are using RA vpn pool network the same as your inside LAN network?

I would first start suggesting to use different vpn POOL network from that of your inside net, even if you break down it just opens up for problems, I have seen issues using same network inside and RA network in remote access vpns, it is just cumbersome to troubleshoot and most of the time it just don't work.

from 2.60 you can ping 2.1 fw inside interface thats normal, from 2.100 to ping 2.1 you need management-access inside statement but to be honest you have nat-t enabled if you cannot reach 2.60 either 2.60 has a firewall turned of its own or this may not work.

Probably u would spend less time with a clean RA vpn pool and move on with proper RA config.

1- Create new network for RA demo tunnel , pick different net something like and create new pool

b- update your nat exempt access list to allow the traffic from new vpn pool network to your LAN networks

Try above suggestion and post results



ajagadee Fri, 12/05/2008 - 14:30


I dont see anything wrong with the VPN Configuration on the Pix that will block traffic to the 192.168.2.x/24 subnet.

Couple of quick questions:

1. On your vpn client settings for the vpngroup demo, under the tab "Transport", can you make sure that you checked "Enable IPSEC Transparent Tunneling" enabled and IPSEC over UDP option is checked.

2. Also, how are you connecting to the Pix. Are you behind another Pix firewall. If the local PIX is doing PAT/NAT. One option is to configure

fixup protocol esp-ike

Please see the PIX 6.3(x) release notes for more info. as below,




Please note that if you use this "fixup protocol esp-ike" command on the local PIX, then this PIX can only pass a single vpn tunnel outbound and you cannot configure any vpn on this local router at all. For example, you cannot configure the command,

isakmp enable outside



cworsham80 Tue, 12/09/2008 - 05:45

changed my vpn pool to a 10.10.10.x and that seemed to fix it. thanks to all for your help

JORGE RODRIGUEZ Tue, 12/09/2008 - 14:37

Glad my suggestion worked for you, please rate post as resolved, so that others with similar issues can reference from.

Bst Regads



This Discussion