Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Remote Access VPN routing

Unanswered Question
May 3rd, 2010
User Badges:

Hello all,

I have a problem need your help. Our users will use VPN to remote access to office internal private network, they are assigned IP address from

We are using Juniper firewall as our Internet firewall and it will point to ISP PE router for access Internet. The VPN client will terminate at PIX 515 firewall.

This PIX has 2 interfaces: one facing Internet and the other facing another ASA firewall which will control the traffic to internal network.

I have add the route of this segment in the ASA and other network devices, and the PIX has a default route to Juniper and route internal network to ASA.

When the user use Cisco VPN client to connect VPN, the tunnel is successful to establish, and the PIX will automatically add a host route to Juniper firewall.

The problem is the VPN client cannot ping or do remote desktop to internal private network. I have checked the ACL in ASA and route in ASA for both direction are correct.

Would you please tell me the how the routing work when VPN client establish tunnel with PIX, because from the client, its default gateway is the IP address itself, for example client has IP address and the gateway also

Thank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Tue, 05/04/2010 - 04:39
User Badges:
  • Cisco Employee,

On the PIX,  please check if you have configured NAT exemption for traffic from the inside network towards the vpn pool (

Plus the internal network should route the subnet towards the PIX inside interface.

chowterry Tue, 05/04/2010 - 18:14
User Badges:

Dear Halijenn,

There is no NAT for this IP address range and I have already setup static route for this IP address range to the PIX inside interface.

Thank you

Federico Coto F... Tue, 05/04/2010 - 20:19
User Badges:
  • Green, 3000 points or more


If you have not configured split-tunneling, then all traffic is going to be sent from the client to the PIX.

You can check this on the client (when connected), checking the statistics and route details.

If the route is means that all traffic is being sent through the tunnel.

If you want to only send the traffic intended to the local LAN through the tunnel, you should configure split-tunneling.

The PIX/ASA by default allows VPN traffic to pass through the tunnel without being checked by the outside ACL.

Make sure you have the command: sysopt connection permit-ipsec or sysopt connection permit-vpn

Also, make sure that nat-t is enabled on both PIX/ASA and client.

Add the command: management-access inside and try to PING the inside IP of the PIX from the VPN client.

If traffic still does not flow through the tunnel, check the output of: sh cry ips sa to check the status of the encrypted/decrypted packets from the PIX perspective.

Let us know if you have any questions.


chowterry Wed, 05/05/2010 - 00:12
User Badges:

Hi Federico,

There is a route in the VPN client when it connect to VPN tunnel.

The command sysopt connection permit-vpn also appear in the PIX

Would you please tell me how to check the nat-t status? Is it the normal NAT?

when checking the sh cry ips sa, the number of decap packet is 4 times of the number of encap packet.

Thank you

Best Regards,

Terry Chow

Federico Coto F... Wed, 05/05/2010 - 07:49
User Badges:
  • Green, 3000 points or more


If you do have packets encrypted/decrypted that means traffic is flowing through the already-established tunnel.

Have you tried the command: management-access inside

and attempting to PING the inside IP of the PIX from the VPN client?

Also, enter the command: crypto isakmp nat-t


Jennifer Halim Wed, 05/05/2010 - 23:32
User Badges:
  • Cisco Employee,

Do you mean that you have tunneled default gateway configured towards the inside next hop?

route inside tunneled

chowterry Thu, 05/06/2010 - 19:53
User Badges:

Hi Halijenn,

We do not use route inside tunneled

However, the problem is solved and we found out there is some mac-address learning error in the switches.

Thank you.

Best Regards

Terry Chow


This Discussion