Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501to 3015 Concentrator using VPN Hardware Client

I found several doc's on CCO about creating a VPN connection from a PIX 501 to a 3000 Concentrator using the VPNClient feature in 6.2.x of the PIX software (specifically "Configuring the VPN Hardware Client on PIX 501/506 Version 6.2 for Use With a VPN 3000 Concentrator"). I follow the example and cannot get it to work.

The concentrator logs say that the there is xauth is required but not configured. I've tried setting the SA's on the conventrator to use pre-shared keys with and without xauth, but no luck. In the debugs from the PIX I see it referring to the DMZ address of the Concentrator, not the static xlated address that I put in the config. I've tried deleting everything and starting over but no luck.

I finally checked the 6.2 PIX command reference and it implies that you still need all of the IKE and crypto stuff in addition to the vpnclient commands. The above doc makes no reference to needing this other than it appears to be configured on devices inside the network.

So, what is the correct procedure for using the VPN Hardware Client????

New Member

Re: PIX 501to 3015 Concentrator using VPN Hardware Client


I have this problem before, seems like the problem is on the Concentrator. Make sure the IKE Proposal list on the Concentrator does have "CiscoVPNclient" at the first line (normaly the default "CiscoVPN Client" does configured with "XAuth", just check it to make sure). Because for a remote client connection, Concentrator will not going through the second line on the proposal list to check any matching proposal if the first proposal is not match.

Regarding the crypto stuff on the PIX, it has several default IKE proposals, so no need to configure it anymore, except if you want to fine tune the IKE proposal list.


New Member

Re: PIX 501to 3015 Concentrator using VPN Hardware Client


i have same problems like this.Do you have any configuration example fpr me?

Best regards


New Member

Re: PIX 501to 3015 Concentrator using VPN Hardware Client

The problem had to do with NATing our public interface on the VPN Concentrator. I had to add the non-nated address in as a secondary connection with the "vpnclient server" command. After that it worked fine, except you do need to initiate traffic from the PIX network for the tunnel to actually come up.

CreatePlease login to create content