Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix 501 Vpn Client

I try to connect with Vpn Client Cisco or Vpn Client Microsoft to Cisco Pix 501 but without success.

The connection is established but the data don't pass through the Vpn tunnel.

I don't reach the host in interface inside.

This is my configuration:

Pix# sh conf

: Saved

: Written by enable_15 at 09:37:19.986 UTC Fri Dec 6 2002

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname Test


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list acl_in permit icmp any any

access-list acl_in permit tcp any any

access-list acl_in permit udp any any

access-list acl_in permit gre any any

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host x.x.x.x eq smtp

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x

ip address inside

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool ip-pool

pdm location inside

pdm location inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 1 0 0

static (inside,outside) x.x.x.x netmask 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

route outside x.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynamap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynamap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn address-pool ip-pool

vpngroup vpn dns-server

vpngroup vpn default-domain

vpngroup vpn idle-time 1800

vpngroup vpn password ********

telnet inside

telnet inside

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 client configuration address local ip-pool

vpdn group 1 client configuration dns

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username vpn password ********

vpdn enable outside

terminal width 80

The network is a private network.



Re: Pix 501 Vpn Client


is there a router on your outside interface? If so, does it forward incoming IPSec packets (esp) to the outside interface of the pix?

Kind Regards,


New Member

Re: Pix 501 Vpn Client


Yes,there is router of Telecom Communications,I don't know the router configuration.

Best Regards.

Cisco Employee

Re: Pix 501 Vpn Client


You have to configure a NAT (inside) 0 command to bypass NAT for the IPSec and PPTP Connection. And you can follow the below URL for the same:

And regarding your local pool, it is always a good practice to assign a different range for the remote users.



CreatePlease to create content