I have a Pix 501 configured for site to site access working correctly. However Cisco VPN clients stopped working when the Pix was setup for site to site. If the site to site configuration is removed the VPN client access is working.
Attached is the PIX configuration with site to site and Cisco client error log when trying to connect.
If I understand the problem correctly, you are able to connect using the VPN Client but not able to access any resources on the inside correct.
If my understanding is correct, then please reconfigure your IP Pool to something different that 10.2.0.x. You cannot have the IP Pool in the range 10.2.0.x and also include this destination network in your L2L Tunnel. If you do this, the Pix will encrypt the traffic across the L2L tunnel instead of the VPN Client.
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.2.0.0 255.255.255.0
ip local pool vpnpool 10.2.0.126-10.2.0.130 mask 255.255.255.0
Just for testing purposes, can you change the IP Pool to something like 192.168.1.x and connect the VPN Client at the same time your l2l is up. Also, make sure that you add a NAT 0 statement. For example.
ip local pool vpnpool 192.168.1.1-192.168.1.254 mask 255.255.255.0
access-list NoNat permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
Please make the changes and let us know how it goes. If not, please post the updated configuration along with "show cry is sa" and " show crypto ipsec sa" from the pix.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...