Cisco Support Community
Community Member

Troubleshooting VPN Remote Access on PIX as PPPoe client

Hello, my customer has a PIX 506E set up to terminate remote access VPN sessions and is also set up as a PPPoE client for an ADSL network. I am able to establish a VPN session and receive an IP address from the client pool. At this point, I start a ping from my remote client to an address inside the PIX. When running a "debug icmp trace" on the PIX, I can see the echo-requests originating from my client, but the echo-replies do not make it back to my client address. Instead, they are being sent to a 67.x.x.x address that I suspect is the PPPoE server.

I am at a loss on how to get the VPN traffic moving in both directions through the tunnel.

Any suggestions?

Here's the PIX config:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxx

passwd xxxxxx

hostname PIX


fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


access-list outside_cryptomap_dyn_20 permit ip

access-list outside_cryptomap_dyn_20 permit ip

access-list outside_cryptomap_dyn_20 permit icmp any any echo-reply

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1492

mtu inside 1492

ip address outside pppoe setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool i-pool

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list outside_cryptomap_dyn_20

nat (inside) 1 0 0

access-group outside_cryptomap_dyn_20 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set STRONG esp-3des esp-md5-hmac

crypto dynamic-map DYNOMAP 10 set transform-set STRONG

crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP

crypto map VPNPEER interface outside

isakmp enable outside

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup xxxx address-pool I-Pool

vpngroup xxxx split-tunnel outside_cryptomap_dyn_20

vpngroup xxxx idle-time 1800

vpngroup xxxx password ********

telnet timeout 5

ssh timeout 60

console timeout 0

vpdn group xxxx request dialout pppoe

vpdn group xxxx localname ciscotest

vpdn group xxxx ppp authentication pap

vpdn username xxxx password *********

terminal width 80

Community Member

Re: Troubleshooting VPN Remote Access on PIX as PPPoe client


One thing I noticed is that you have applied an access-list to your outside interface which permits traffic from 192.168.x.x - not sure if you want to do that. Also to make the config a bit clearer, you should have 2 acls (one for defining VPN network parameters and one for the interface access alone... I also tend to create one for Nat as well if needed.)

Lastly, I assume that the clients are all set up to route traffic to This would be a big problem if the default route is set to another network device since the pix cannot send it back properly to the vpn client if it never receives the packet. All in all, it appears that the source of your problem may be with the client network's ability to recognize the subnet.

Best Regards,


CreatePlease to create content