Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco VPN problem from inside a PIX515E

I have recently joined a company which did have 8 NT/Novell servers running through a Cisco PIX 515E router/firewall which was complete overkill for a company of 35 people! It had internal addressing of 192.168.1.x SN Mask It's now replaced with 1 Windows 2003 SBS Server + the PIX and internal addressing is now 10.0.0.x SN Mask

Everything is working well, including Windows based VPN into the server (PPTP with PIX passthrough?!). I just have one MAJOR issue. Users within the network here do remote support to our products [which contain a Windows PC] on customer sites using PC Anywhere. The ones which are setup to use analog modems work fine, the ones who have assigned a public IP to their system work fine, but we have one client where we connect to their VPN first and then connect via TCPIP which will NOT work. The customer has a Cisco VPN (so we're connecting from inside our PIX to their Cisco appliance) The Cisco VPN client connects and is assigned an IP [a 10.116.152.x Subnet Mask address] but then all connectivity is lost to the 10.0.0.x network (but this used to happen!) and I cannot ping any of the valid addresses on the client network.

If I take the PC trying to connect from inside our network to the server room and connect on a non firewalled port [I agree dangerous, but I needed to diagnose the problem!!] OR connect to the internet using our AT&T dialler, I again connect on the VPN ok, but then can also connect to the client ip addresses. I think I've therefore proved it's the PIX and it's failure to route correctly, but I'm kind of struggling after that!! I also tried using a "home office" linksys router with just basic config and that worked.

I tried assigning a static internal ip and configuring a static NAT rule to redirect that to a static public IP (I have a pool of 14 public addresses and am currently only using one for the PIX router). I'm not too good on the PIX console at defining access lists etc, so I used the PDM to do this... I think I did everything right, but I guess because the IP address assigned to the VPN adapter isn't the same as the one I give the NIC it still doesn't know how to route the packets... If I type arp -a at the command prompt I just see the MAC address for the PIX...

While my users can use the internet dial up it's a waste of money and VERY slow, so they're not going to stick with it for long!

Unfortunately I do not have a copy of the PIX config from before the changeover (or I wouldn't be in this position!!)

The PIX is running v6.3 and does not have enough RAM to upgrade further. Any ideas or suggestions on how I can move forward would be very welcome!! :->


Re: Cisco VPN problem from inside a PIX515E

Failure of an IPsec VPN through a firewall usually because of NAT.

Does your PIX have "fixup protocol esp-ike" ?

Is the remote end enabled for NAT Transparency ?

Or it could be access-lists or NAT internally, but we'd have to see the config to know that.

New Member

Re: Cisco VPN problem from inside a PIX515E

Thanks for your suggestions!!

It was that I was missing the esp protocol... with the NAT setup (which I'd already figured out!) it all works fine now.


CreatePlease to create content