Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
233
Views
0
Helpful
2
Replies

PIX 501 Does Not Permit Access to Remote Network

douttagalla
Level 1
Level 1

‎11-09-2007 12:42 AM - edited ‎02-21-2020 01:46 AM

I have a problem with a PIX 501 that allows you to establish a VPN session to a remote network (using the Cisco VPN client software) but does not permit you to ping any devices on the remote network. This problem only occurs with the PIX. I have similar environments not running PIX firewalls that do not have this problem. If I replace the PIX with a non Cisco firewall, the problem goes away or if I create a site-to-site tunnel, I can then access the remote network.

0 Helpful
2 Replies 2

acomiskey
Level 10
Level 10

‎11-09-2007 05:45 AM

Post your config or add "isakmp nat-traversal".

0 Helpful

douttagalla
Level 1
Level 1
In response to acomiskey

‎11-13-2007 05:11 PM

Thanks for the suggestion. I added "isakmp nat-traversal" but that did not help. Here is the config

PIX Version 6.3(5)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.0.0.0 Head_Office

access-list inside_outbound_nat0_acl permit ip any 192.168.0.100 255.255.255.252

access-list inside_outbound_nat0_acl permit ip 10.0.10.0 255.255.255.0 Head_Office 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.100 255.255.255.252

access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.100 255.255.255.252

access-list outside_cryptomap_20 permit ip 10.0.10.0 255.255.255.0 Head_Office 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.0.10.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN-Remote-Pool 192.168.0.100-192.168.0.103

pdm location Head_Office 255.255.255.0 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm location Head_Office 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.10.0 255.255.255.0 inside

http Head_Office 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer xxx.xxx.xxx.xxx

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup icare address-pool VPN-Remote-Pool

vpngroup icare dns-server 10.0.10.254

vpngroup icare idle-time 1800

vpngroup icare password ********

vpngroup itsupport address-pool VPN-Remote-Pool

vpngroup itsupport dns-server 10.0.10.254

vpngroup itsupport idle-time 1800

vpngroup itsupport password ********

telnet timeout 5

ssh timeout 5

management-access outside

console timeout 20

dhcpd address 10.0.10.100-10.0.10.110 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card