Remote VPN issue

Unanswered Question
Aug 28th, 2009
User Badges:

I have a remote site and i need to access the network through remote VPN and i made the configuration and remote VPN is connected but not able to ping the internal host including PIX inside IP

PIX OS : 8X.0.X.X


config :

interface Ethernet0

nameif outside

security-level 0

ip address XX.8X.XX.XX


interface Ethernet1

nameif inside

security-level 100

ip address


interface Ethernet2

description STATE Failover Interface

speed 100

duplex full


interface Ethernet3


no nameif

no security-level

no ip address

ftp mode passive

dns server-group DefaultDNS

domain-name LYCASWE

access-list 101 extended permit ip any

access-list 110 extended permit ip 255.25


access-list VPN-MAR extended permit ip 25

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

ip local pool RemoteVPNpool


failover polltime unit 3 holdtime 9

failover link STATE Ethernet2

failover interface ip STATE standby

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1

route outside XX.8X.XX.XX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set VPN_OFFICE-set esp-3des esp-sha-hmac

crypto ipsec transform-set RVPN esp-des esp-md5-hmac

crypto ipsec transform-set RVPN1 esp-3des esp-md5-hmac

crypto dynamic-map DYN-map 1 set transform-set RVPN RVPN1

crypto map Sweden-map 11 match address VPN-MAR

crypto map Sweden-map 11 set peer xx7.xx8.1xx.xx

crypto map Sweden-map 11 set transform-set VPN_OFFICE-set

crypto map Sweden-map 20 ipsec-isakmp dynamic DYN-map

crypto map Sweden-map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 13

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 14

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet inside

ssh timeout 10

console timeout 0

management-access inside

service-policy global_policy global

group-policy RAswe internal

group-policy RAswe attributes

user-authentication enable

username admin password XXXXXXXX encrypted

tunnel-group xx7.xx8.1xx.xx type ipsec-l2l

tunnel-group xx7.xx8.1xx.xx ipsec-attributes


tunnel-group RAswe type ipsec-ra

tunnel-group RAswe general-attributes

address-pool RemoteVPNpool

default-group-policy RAswe

tunnel-group RAswe ipsec-attributes


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

1) Use a seperate IP Subnet for remote VPN connections

2) You need to add the VPN subnet to your no-nat rule, acl 110

3) You will not be able to ping the inside IP of the PIX - this is normal and by design.

4) If you want to access the remote site over the IPSEC tunnel you need to enable same security traffic.



This Discussion