Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix VPN/Client acl question/problem

Hey all,

I got something that I can't quite figure out...

Got a Pix setup to do VPN, 6.2(2). Inside is 192.168.10.x, VPN pool is 192.168.11.x. I can get the client to authenticate no prob, Inside machines can ping and communicate with the client with no prob. Client cannot ping, map or do anything inside without me adding a permit statement for 192.168.11.x to 192.168.10.x which is applied to the outside interface. Why do I need this statement ? Is there any way around this ? I think it is very un-secure to have to permit something like that on the outside interface, poses a huge security problem if you ask me. Below is a sanitized config.



Pix(config)# wr t

Building configuration...

: Saved


PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname Pix


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list outside permit icmp any any echo-reply

access-list outside permit tcp any any eq pcanywhere-data

access-list outside permit udp any any eq pcanywhere-status

access-list outside permit ip

access-list nonat permit ip

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

static (inside,outside) tcp interface pcanywhere-data pcanywhere-data netmask 0 0

static (inside,outside) udp interface pcanywhere-status pcanywhere-status netmask 0 0

access-group outside in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup xxxxx address-pool ippool

vpngroup xxxxxx dns-server

vpngroup xxxxx wins-server

vpngroup xxxxx default-domain

vpngroup xxxxx idle-time 1800

vpngroup xxxxx password ********

telnet timeout 5

ssh x.x.x.x x.x.x.x outside

ssh x.x.x.x x.x.x.x inside

ssh timeout 5

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain

dhcpd enable inside

terminal width 80


: end



New Member

Re: Pix VPN/Client acl question/problem

I figured it out. I missed "sysopt connection permit-ipsec". Which essentially tells the ipsec tunnel to disregard acl's.

Hopefully this will help someone else as well.


CreatePlease to create content