I have problem with the PIX Firewall 515 running 6.3(1). I can not use the VPN Client behind any NAT or PAT firewall. I make a connection but can not pass any traffic to my private addresses. I am using the command :

isakmp nat-traversal

Still no sucess, everything works great when I use a public address. For example a dial up connection.

I have included my configuration file. Any help would be appreciated.

-Paul

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname calprovpix

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names removed

object-group service Exchange tcp

port-object eq 135

port-object range 1096 1098

port-object eq smtp

port-object eq www

object-group service RadiusServer udp

description Radius Authentication Server

port-object eq radius

port-object eq radius-acct

access-list shjc_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 192.168.101.0 25

5.255.255.0

access-list calprov_splitTunnelAcl permit ip 10.0.0.0 255.0.0.0 any

access-list outside_access_in permit ip 192.168.101.0 255.255.255.0 any

access-list outside_access_in deny ip PrivateNetwork 255.255.0.0 any log

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any echo

access-list outside_access_in permit esp any any

access-list outside_access_in permit udp any any eq 4500

access-list outside_access_in permit tcp any host cpsj-exchange-1P object-group

Exchange

access-list outside_access_in permit tcp any host WWWP eq www

access-list outside_access_in permit tcp any host cpsj-server-1 eq 1099

access-list outside_access_in permit ip host Router any

access-list outside_access_in permit udp host QwestDNS eq domain any

access-list inside_nat0_outbound permit ip any 192.168.101.0 255.255.255.0

pager lines 24

logging on

logging monitor debugging

logging trap debugging

logging facility 7

logging host inside 10.1.0.66 6/1468

mtu outside 1500

mtu inside 1500

mtu test 1500

ip address outside xxx xxx

ip address inside 10.1.0.1 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool calprov-vpn 192.168.101.1-192.168.101.254

pdm history enable

arp timeout 14400

global (outside) 1 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) cpsj-exchange-1P 10.1.0.20 netmask 255.255.255.255 0 0

static (inside,outside) WWWP 10.1.0.22 netmask 255.255.255.255 0 0

static (inside,outside) cpsj-server-1 10.1.0.10 netmask 255.255.255.255 0 0

static (inside,outside) cpsj-server-2P 10.1.0.11 netmask 255.255.255.255 0 0

static (inside,outside) cpsj-server-3P 10.1.0.12 netmask 255.255.255.255 0 0

static (inside,outside) cpsj-server-4P 10.1.0.13 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 Router 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server AuthInbound protocol radius

aaa-server AuthInbound (inside) host

aaa authentication telnet console AuthInbound

aaa authentication http console AuthInbound

ntp server Router source outside prefer

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication AuthInbound

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup calprov address-pool calprov-vpn

vpngroup calprov dns-server 10.1.0.10

vpngroup calprov default-domain xxx

vpngroup calprov split-tunnel calprov_splitTunnelAcl

vpngroup calprov idle-time 1800

vpngroup calprov password

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80