Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member


i've PIX501 connected to WAN via PPPOE. Behind PIX i've Roueter, Win2k DC and user's computers XP. We configure VPN tunnel on PIX501 to PIX515 in central branch. Users from clients XP-stations can't connect ISA server in central site, also i used

telnet isa_server 8080


I see packets at inside interface at PIX501 bit i don't see them exited from other side of tunnel. BUT - i do same on Win2K and router - telnet isa_server 8080 - and it's work!

Also work ping to isa_server from client's XP-boxes.

I tryed change mtu on internal side

mtu inside 1492

Tryed to change

sysopt connection tcpmss XXX -

where XXX lower to 500.

Nothing help! But it's happend several days ago and before it was worked. Nothing changed in config.


: Saved


PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list inside_out permit ip

access-list inside_out deny ip any any

access-list vpn_outside permit ip

access-list outside_cryptomap_10 permit ip

pager lines 24

logging on

logging console debugging

logging buffered debugging

mtu outside 1500

mtu inside 1492

ip address outside pppoe setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list vpn_outside

nat (inside) 1 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp server source outside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set BRANCH_AES esp-aes esp-sha-hmac

crypto map MW 10 ipsec-isakmp

crypto map MW 10 match address outside_cryptomap_10

crypto map MW 10 set peer X.X.X.X

crypto map MW 10 set transform-set BRANCH_AES

crypto map MW interface outside

isakmp enable outside

isakmp key ******** address X.X.X.X netmask no-xauth no-config-mode

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 60

management-access inside

console timeout 0

vpdn group PPPOE request dialout pppoe

vpdn group PPPOE localname ll33

vpdn group PPPOE ppp authentication pap

vpdn username xxxx password *********




Newer Solaris 8 installations and Solaris 9 use pppd 4.0 as their standard dialup and PPoE driver. The DMZ Ethernet port is supported as a backup interface. This interface supports static addresses, DHCP clients, or PPoE clients. An Ethernet 2 interface can be enabled on the Cisco 830 series routers. Port 4 on the switch is the physical representation of this port.

CreatePlease to create content