Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 6.1 upgrade to 6.2(2) Problem

We are using the Cisco VPN Client 3.6 for our remote users to log in to our 515e with the configuration below. It worked fine until I upgraded the PIX from 6.1 to 6.2(2) and even though they can log in and browse the network,they can no longer access the subnets.

The error message in the sys log when I try and ping one of the subnets from a connected client is PIX-3-106011 Deny inbound (no xlate). I can ping the subnets from the inside interface of the PIX.

I'm going through the 6.2(2) configuration book but can't find anything that would have changed between the versions. Any ideas on this?????

: Saved

: Written by enable_15 at 05:07:24.286 UTC Mon Nov 17 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxx

passwd xxxxxx

hostname PIX

domain-name TEST.COM

fixup protocol http 80

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol smtp 25 no fixup protocol h323 h225 1720

no fixup protocol sqlnet 1521

no fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol skinny 2000

no fixup protocol ftp 21


access-list Cisco permit ip

access-list Cisco permit ip

access-list Cisco permit ip

access-list Cisco permit ip

access-list Cisco permit ip

pager lines 24

logging on

logging trap informational

logging host inside

logging host inside

interface ethernet0 10baset

interface ethernet1 10full

interface ethernet2 auto shutdown

icmp deny any echo-reply outside

icmp permit any unreachable outside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside

ip address inside

ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool dealer

pdm history enable

arp timeout 14400

nat (inside) 0 access-list Cisco

static (inside,outside) netmask 0 0

access-group ACL_IN in interface outside

route outside 1

route inside 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set aaades esp-3des esp-md5-hmac

crypto dynamic-map dynomap 10 set transform-set aaades

crypto map vpn 20 ipsec-isakmp dynamic dynomap

crypto map vpn client authentication

crypto map vpn interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnone address-pool dealer

vpngroup vpnone dns-server

vpngroup vpnone wins-server

vpngroup vpnone default-domain

vpngroup vpnone idle-time 1800

vpngroup vpnone password *****************************

telnet timeout 60

terminal width 80


: end

Cisco Employee

Re: PIX 6.1 upgrade to 6.2(2) Problem

Woah, get rid of the two default routes, that hasn't been supported for quite a while. I'm surprised it even worked with 6.1. Do this:

no route inside

route inside

and see how that goes.

New Member

Re: PIX 6.1 upgrade to 6.2(2) Problem

That fixed it. Thank you so much gfullage.

CreatePlease login to create content