Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trying to use Cisco VPN Client behind a PIX 7.2.2 in layer 2 bridging mode

I hope this is the tright place it was the closest to my problem.

I have a Windows 2000 PC with Cisco Client VPN 4.8 behind a Cisco PIX 515e operating in Layer 2 (transparent firewall) My rule set is attaached below.

What my issue is I connect to a Cisco VPN through the PIX it authenticates fine but then does not pass any data through the tunnel. I remove the PIX and put a linux box with a transparent firwall on it works perfect.

I'm sure there is a config I'm missing and hope someone can help point it out.



My Config:

pixfirewall# sh run

: Saved


PIX Version 7.2(2)


firewall transparent

hostname pixfirewall

domain-name default.domain.invalid

enable password xxx



interface Ethernet0

nameif outside

security-level 0


interface Ethernet1

nameif inside

security-level 100


passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list rules ethertype permit any

access-list rules ethertype permit bpdu

pager lines 24

mtu outside 1500

mtu inside 1500

ip address XXX.XXX.XX.XXX

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-522.bin

no asdm history enable

arp timeout 14400

access-group rules in interface outside

access-group rules in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http XXX.XXX.XX.XXX inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto isakmp nat-traversal 20

telnet timeout 5

ssh XXX.XXX.XX.XXX inside

ssh timeout 5

console timeout 0


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect icmp

policy-map type inspect ipsec-pass-thru preset_ipsec_map





service-policy global_policy global

prompt hostname context


: end


Re: Trying to use Cisco VPN Client behind a PIX 7.2.2 in layer 2

This document contains the most common solutions to IPSec VPN problems. These solutions come directly from service requests that the TAC have solved. Many of these solutions can be implemented prior to the in-depth troubleshooting of an IPSec VPN connection. As a result, this document is presented as a checklist of common procedures to try before you begin to troubleshoot a connection and call the TAC.