I've been working on this one for three days now, searched CCO, google, books, etc., with no luck so I'm throwing this out there. With an Cisco 3.6 VPN client I can connect to a PIX 515 but I cannot ping nor reach any internal hosts. I set up a PPTP tunnel as a test and I could connect and ping through that one but not the IPSEC. I checked many configs on CCO and I can't see what I'm missing. I also checked the bug list and tried a few versions of clients. Any help is appreciated. The relevant parts of the config are below.
access-list dmz_outbound_nat0_acl permit ip host DNSBOX any
access-list dmz_outbound_nat0_acl permit ip host WEBBOX02 any
access-list dmz_inbound_nat0_acl permit ip DMZ_Net 255.255.255.240 Corp_Net 255.255.255.0
access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq www
access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq https
access-list inside_access_in permit udp Corp_Net 255.255.255.0 any eq domain
Considering your PPTP config uses the same IP pool as your IPSec config, and your PPTP works, then that says you have the "nat 0" stuff set up correctly.
Your crypto config looks OK, can't see anything obviously wrong with it. Kep in mind that the tunnel is built on UDP port 500 (ISAKMP) packets, but then all data is sent on IP protocol 50 (ESP) packets, so it's possible that ESP is being filtered out somewhere, this would still allow you to build a tunnel successfully, you just couldn't ping anything over it.
After you establish a connection, do a "sho cry ipsec sa" on the PIX and look for the tunnel for your PC (find the tunnel with the IP address out of the pool that your connection received). Look at the Packets Encaps and the Packets Decaps counters. Also double-click on the padlock icon in your task bar. When you ping something, does the Packets Encrypted counter on your PC go up? Does the Packets Decaps counter on the PIX go up (indicating the PIX received your packet)? Does the Packets Encaps counter on the PIX go up (indicating the host responded and the PIX has encrypted the response and sent it to your PC)? Does the Packets REceived counter on your PC go up?
You should be able to check these counters, see what increments and what doesn't, and figure out where the problem lies.
I am having the exact same problem. However, I have a couple of things I would like to add:
I've experienced this problem on Windows 2000 and Windows XP frequently.
On my Windows XP machine, I was able to ping internal resources through the VPN tunnel only once. After I restarted my PC, I lost that capability. Could this have something to do with the IPSEC Agent in Windows XP? I saw some posts suggesting that all Windows IPSEC services be disabled when running the VPN Client (I am using 3.6.2 btw).
On Windows 2000 PCs, the problem may be fixed with restarting the router on the VPN client's side.
To the best of my knowledge, 3.6 doesn't work very well at all, 3.6.3 is the one you want. Also, bear in mind that if your client is behind any kind of router or firewall that performs NAT or PAT, then although it may connect successfully, it won't work at all as the IPSEC packets will be disguarded. The VPN client installation process should ask about if it can disable the w2k IPSEC service, cos it won't work otherwise.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...