Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX515 VPN - connected - but cannot access internal network


I am using a PIX-515R and the Secure VPN Client 3.5.2. I am able to successfully authenticate and establish a connection however I am unable to ping any host on LAN/DMZ/WWW when connected.

ipconfig /all reveals that the IP address on my NIC has not changed, and I understand that it is supposed to be replaced with the VPN IP address, and other IP addressing information specified by the vpngroup command.

Clicking on the padlock in the system tray under general, it appears that the VPN Client has successfully obtained a IP address from the VPN clients pool, however under the statistics tab I can see no secured routes to the internal network. I see 2 entries:



This is consistent with the information provided by the route print command.

Does anyone know what I am doing wrong? Any gotchas?

Here's some of the config from the firewall:

access-list nonat permit ip

access-list nonat permit ip

access-list nonat permit ip

access-list nonat permit ip

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

nat (dmz) 0 access-list nonat

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set TSET_VPNCLIENT esp-3des esp-md5-hmac

crypto dynamic-map dyna 1 set transform-set TSET_VPNCLIENT

crypto map vpnclient 1 ipsec-isakmp dynamic dyna

crypto map vpnclient client authentication RADIUS

crypto map vpnclient interface outside

isakmp enable outside

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup vicscouts address-pool vpnclnt_pool

vpngroup vicscouts dns-server

vpngroup vicscouts wins-server

vpngroup vicscouts default-domain

vpngroup vicscouts idle-time 1800

vpngroup vicscouts password ********

Many thanks in advance,

New Member

Re: PIX515 VPN - connected - but cannot access internal network


The routes you got in your VPN clients are correct. Because you are not using "vpngroup split-tunnel" command, so you can not browse internet when you get connected to the VPN.

VPN client ip address will not change "ipconfig/all", it only show up in the vpn client status window.

Is your client PC sitting behind a PAT eqiupment (ADSL router) or using dial-up connection , get a public ip address directly ? Because "IPSEC over PAT" to a PIX is not supported at this moment.

One more thing, please do not use overlapping ip address with your inside network in your IP pool. Otherwise, you will not be able to pass any traffic due to the routing issue.

your inside network using and

pleae change the pool to and also change the no-nat access-list to bypass the VPN traffic.

Best Regards,

CreatePlease to create content