I'm trying to configure our PIX for dial-up vpn using ACS 2.6 NT and the TACACS+ protocol.
I have managed to configure the VPN user authentication OK, although once connected and the tunnel to the internal network is established, if I try to ping a host inside I only get one ICMP packet back out of four. Subsequent attempts to ping the host get absolutely no response. This happens with all hosts you try to ping...
The Firewall itself is also configured to use TACACS+ for console and enable authentication, perhaps this config is causing a problem?
Here is a snippet of the pertinent config from the firewall.
access-list clients permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.255.0
access-list vpn permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.
ip local pool clients 172.17.50.10-172.17.50.254
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
aaa-server TACSERVER protocol tacacs+
aaa-server TACSERVER (inside) host 172.17.0.x akey timeout 10
aaa authentication enable console TACSERVER
aaa authentication match clients outside TACSERVERsysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set vpn ah-md5-hmac esp-des
crypto ipsec transform-set clients esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400 kilobytes 46080000
crypto dynamic-map vpnusers 50 set transform-set clientscrypto map gibpix client configuration address initiate
crypto map gibpix client configuration address respond
crypto map gibpix client authentication TACSERVER
crypto map gibpix interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local clients outside
vpngroup ras address-pool clients
vpngroup ras dns-server ns0
vpngroup ras default-domain mydomain.com
vpngroup ras split-tunnel clients
vpngroup ras idle-time 1800
vpngroup ras password ********
I can't see the wood for the trees as i've scoured many cisco docs, can anyone point me in the right direction?
Many thanks and merry christmas to all.