VPN-client set connect to the remote PIX, but has not access in LAN inside

Unanswered Question
Aug 16th, 2006
User Badges:

VPN client (the version is connected to PIX501, authentification and join passes orderly, but no access to removed network

The question in that, why no access to remote network through VPN client from workstation? There are route print below and config of pix.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m.sir Wed, 08/16/2006 - 04:25
User Badges:
  • Gold, 750 points or more

I looks like NAT traversal issue...

try following command in global configuration mode

isakmp nat-traversal 20


Hope that helps rate if it does

daniele.bertolo... Sat, 12/09/2006 - 14:15
User Badges:

sorry for my intrusion...

i've the same problem on cisco pix 515e 7.0.6


and i've that command in global config mode..

my win xp with cisco 4.6 client authenticate itself but can't ping any host of the remote lan..

please help me!

i attach my pix config.

thanks a lot .


shomar Tue, 12/12/2006 - 04:50
User Badges:

hi daniele,

try to be more specified with the nat0 access list to include your inside network with it, so instead of:

access-list inside_nat0_outbound extended permit ip any


access-list inside_nat0_outbound extended permit ip

I hope that this will help,


daniele.bertolo... Wed, 12/13/2006 - 14:27
User Badges:

hi shadi',

many thanks for your answer.

unfortunalty...isn't the right way!

i've modified my pix config, as you told me, you can look it, i've attached it here.

that config is fully working only if my win xp client has a REAL INTERNET IP ADDRESS on PPP network card.

if client is behind a private network that are natted to outside, nothing works...

(tunnel up , but no traffic crypted..)

i successfully make IPSEC VPN connection on PIX using a Linux machine as client BUT with STATIC INTERNET IP ADDRESS via VPNC (linux version of cisco client)

but if my XP client is behind a private network

(here in italy many ISP like H3G give private, natted ip , on his UMTS card..)

no traffic passed via IPSEC tunnel..

obiously i've "isakmp nat-traversal 10" enabled on pix device!

can you help me?

thanks a lot



shomar Wed, 12/13/2006 - 22:58
User Badges:

HI Daniele,

I think the split tunnel access list is written wrong here :)

a rule of thumb, the split tunnel access list should always contain the traffic to be secured, so we need the clients ip pool to be as the source of the access list and the required secure networks to be the destination, so our split tunnel access list should look like this:

access-list rem-vlg_splitTunnelAcl permit ip

hope this will do it :)



daniele.bertolo... Thu, 12/14/2006 - 07:09
User Badges:

hi Shad?.

thanks for your reply!

my inside net is:

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address standby

and my vpn pool address is:

ip local pool VPNPool mask

so, as you told me, i think that my split tunnel acl have to contain line:

access-list VPN_splitTunnelAcl extended permit ip

i make change on pix, but infortunatly vpn is up not traffic doesn't work.

and another problem: on client statistic window, i see as secured route..

(not Lan ip addressing space, but vpn pool.. is it correct?)

Shad?, why with my old pix config (with old wrong split tunnel acl) if i have a public internet ip address on dialup interface on xp client evrything works correctly and packet are passed?

only if my xp client has sourced from a NO-NAT config .

any explanation will be more appreciated.



daniele.bertolo... Fri, 12/15/2006 - 03:44
User Badges:


my xp client have many problem.

on orher computer evrything works correctly with original config.

thanks to evrybody.




This Discussion