Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix to 837 VPN configuration issues

Any advice would be greatly appreciated.

What debug may diagnose the issue etc.



Pix IOS version 6.3.2

Cisco 837 router version 12.2.3XA

Problem explanation

VPN is set up between Pix and 837 ADSL router. Both can get out to the Internet. The Pix has other functioning VPN's connected to it. The VPN config given between these two devices does work in so far as the VPN is shown as up and you can connect one way from the private network behind the Pix to the private network behind the 837 using apps like Terminal Services. However connections initiated from the 837 router network do not work. Connections from the Pix end work though. Why is this a one way VPN??



PIX Version 6.3(2)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 Internet security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50


access-list nonat permit ip

access-list vpn1 permit ip


ip address Internet External_Pix

ip address inside

ip address DMZ


global (Internet) 1 NAT_ALL

nat (inside) 0 access-list nonat

nat (inside) 1 0 0


route Internet DEFAULT_Gateway 1

route inside 1

route inside 1

route inside 1


crypto ipsec transform-set vpn1 esp-des esp-md5-hmac

crypto map newmap 21 match address murphy1

crypto map newmap 21 set peer [837 router address]

crypto map newmap 21 set transform-set murphy1

crypto map newmap interface Internet

isakmp enable Internet

isakmp key ******** address x.x.x.60 netmask

isakmp identity address

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400


Using 2177 out of 131072 bytes


version 12.3


no aaa new-model

ip subnet-zero


ip audit notify log

ip audit po max-events 100

vpdn enable


vpdn-group pppoe


protocol pppoe

ip mtu adjust


crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key 0 ************ address ***************



crypto ipsec transform-set headoffice esp-des esp-md5-hmac


crypto map headoffice 10 ipsec-isakmp

set peer [pix ip address]

set transform-set headoffice

match address 101


interface Ethernet0

ip address

ip nat inside

no ip mroute-cache

hold-queue 100 out


interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

pppoe-client dial-pool-number 1


dsl operating-mode auto

hold-queue 224 in


interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname [ispusername@isp]

ppp chap password 0 [password]

crypto map headoffice


ip nat inside source list 102 interface Dialer1 overload

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route ATM0

ip route Dialer1 permanent

no ip http server

no ip http secure-server

access-list 101 permit ip

access-list 102 deny ip

access-list 102 permit ip any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 102

New Member

Re: Pix to 837 VPN configuration issues

I don't where/how you applying access-list vpn1?

CreatePlease login to create content