Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote Access VPN + gateway through pix = Deny inbound (No xlate) [HELP]

I am trying to set up my first VPN.

I want to make a remote access VPN where remote clients

on the road can VPN into a Pix and remote gateway through

the PIX out to the Internet.

remote PC <-> VPN through Internet->PIX<-Pix Lan and access outside Internet access <->

My PIX configuration below allows remote access clients

using Windows 2000 and the 2000 VPN software in Win 2000

to remotely connect up to my PIX. The remote VPN client

sees everything on the inside of my PIX Lan. The remote

VPN client however can’t remote gateway out of my pix to

the Internet.

When they try, I get logs showing:

106011: Deny inbound (No xlate) tcp src outside: dst outside:

Can somebody show me what I need to do so that a remote access

client can VPN into my PIX and then have the ability to get

out to the Internet as if they were directly on a PC on my PIX Lan?

Thank you in advance

Tom Jones

Below is my current PIX configuration:



PIX-501 Cisco PIX Firewall Version 6.1(1)

* IP information 10.10.10.x = Outside Internet real IP addresses

* IP information 192.168.77.x = Pix inside LAN

* IP information 192.168.1.x = what remote-access clients get when they connect

* I am using only local authentication at this time



PIX# show config

: Saved


PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable xxxxxxxxxxxxxxxx xxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxx encrypted

hostname PIXTEST


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list acl_out permit tcp any host eq www

access-list acl_out permit icmp any any

access-list acl_out permit udp any host eq tftp

access-list acl_vpn permit ip any any

access-list 101 permit ip

pager lines 24

logging on

logging timestamp

logging buffered informational

logging trap debugging

logging history debugging

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool

pdm history enable

arp timeout 14401

global (outside) 1 interface

nat (inside) 0 access-list 101

! - - Note I have tried changing nat (inside) 1

nat (inside) 1 75 75

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

access-group acl_out in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server disable

http inside

no snmp-server location

no snmp-server contact

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp client configuration address-pool local bigpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn3000-all address-pool bigpool

vpngroup vpn3000-all dns-server

vpngroup vpn3000-all default-domain

vpngroup vpn3000-all idle-time 1800

vpngroup vpn3000-all password ********

telnet inside

telnet timeout 5

ssh outside

ssh timeout 60

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local bigpool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username remoteuser password remotepassword

vpdn enable outside

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain

dhcpd enable inside

terminal width 80



Cisco Employee

Re: Remote Access VPN + gateway through pix = Deny inbound (No x


This is not possible with the Pix. PIX will never send a packet out of the same interface from where it received it.

You can enable Split Tunneling for the group connecting using Cisco VPN Client and this will allow the users to access the lan behind the Pix and also access the internet.



New Member

Re: Remote Access VPN + gateway through pix = Deny inbound (No x

Errrrr... What a big set back for me...... re:

"...PIX will never send a packet out of the same interface from where it received it..."

Does anybody know if a Cisco 2600 class router with Nat enabled will allow a remote access VPN connection where the remote VPN user may gateway out to the Internet throught the IOS router (and follow other routes in the 2600)?

I think I may of made a small $$$ mistake thinking the Cisco PIX would handle my VPN needs.

errr Tom Jones