Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can You Find Any Errors


I can't access my network when I vpn into my network. Can anyone take a look at the config to see if they can point out why I am not able to ping and access devices on my network. Thanks.

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname xxxx


clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 102 permit ip x.x.53.0 log

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside x.x.57.200

ip address inside x.x.53.200

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool2 mask

pdm location x.x.1.0 inside

pdm location outside

pdm location outside

pdm location x.x.0.0 inside

pdm location x.x.30.216 inside

pdm location x.x.38.2 inside

pdm location x.x.38.12 inside

pdm location x.x.30.202 inside

pdm location x.x.30.215 inside

pdm location x.x.30.15 inside

pdm location inside

pdm location outside

pdm location x.x.0.0 inside

pdm location inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 102

nat (inside) 1 0 0

route outside 1

route inside x.x.0.0 x.x.53.250 1

route inside x.x.53.250 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host x.x.38.12 doom timeout 5

aaa-server TACACS+ (inside) host x.x.30.15 doom timeout 5

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp authenticate

ntp server x.x.14.253 source inside prefer

http server enable

http x.x.30.216 inside

http x.x.38.12 inside

http x.x.38.2 inside

snmp-server host inside x.x.30.202

snmp-server host inside x.x.30.215

snmp-server host inside x.x.38.12

no snmp-server location

no snmp-server contact

snmp-server community PUBLIC

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup bob address-pool vpnpool2

vpngroup bob dns-server x.x.4.99

vpngroup bob default-domain

vpngroup bob idle-time 1800

vpngroup bob password

telnet timeout 5

ssh timeout 5

console timeout 5

terminal width 80

: end


Re: Can You Find Any Errors

I think the issue lies in your access-list. When you VPN into the PIX you are granted an IP from your VPNPOOL2 (vpnpool2 ). Your access-list 102 applied to the inside states(access-list 102 permit ip x.x.53.0 log ). All other traffic will be denied. Try opening up the access-list to permit your pooled addresses and see what happens...Please rate...Good Luck...

Re: Can You Find Any Errors

Hi .. access-list 102 is used for bypassing NAT and it is not and ACL applied to the inside interface.

From where I can see the config seems OK. You need to make sure that your systems know the way back to the IP pool been used for your remote users. Which device is used as the default gateway for your internal LAN ..? If it is not the PIX then you might need to add a static route on that device.

I hope it helps .. please rate it if ti does !!

New Member

Re: Can You Find Any Errors

Issue was on the gateway device. The traffic wasn't routing through there back to the pix. My only other issue is that I am not able to browse the internet. I can access everything on my network I just can leave it to get onto the www. Is it possible that my service provider is blocking me?

CreatePlease to create content