Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to get to internal resources after successfully tunneling-in!!

I have configured an IPSec remote access VPN connection and I'm successfully able to establish the tunnel but I can not get to any of my LAN internal

resources. I'm able to ping PIX's internal interface ( and even telnet to it from the VPN client, once logged into the PIX I'm able to ping all /24 internal resources from inside interface but wont work from the VPN client ( /24)

Heres the scenario

INTERNET---->1800SERIES--->PIX515e-->LAN( /24)

1800 SERIES 201.190.x.9 /30

PIX515e 201.190.x.10 /30

Below is a clean run-config regarding mostly the VPN statement for ease of reading....

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

enable password T5Gug97KpLnrmPci encrypted

passwd NHrPq0iSfkVBUBUb encrypted

hostname PIX515e


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

!!! ACL for split tunneling

access-list 101 permit ip

!!! ACL form interesting traffic

access-list 102 permit ip

access-list 102 permit icmp echo

access-list 102 permit icmp echo-reply

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 201.190.X.10

ip address inside

ip address DMZ

ip audit info action alarm

ip audit attack action alarm

!!! Pool of addresses to be assigned to Remote clients

ip local pool VPNPOOL

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 0 0

nat (inside) 1 0 0

route outside 201.190.X.9 1

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

!!!Allow IPSec to pass through

sysopt connection permit-ipsec

!!! IKE phase 2 negotiation

crypto ipsec transform-set TECMANT-VPN esp-3des esp-sha-hmac

crypto dynamic-map VPN-MAP 10 set transform-set TECMANT-VPN

crypto map STATIC-VPN-MAP 10 ipsec-isakmp dynamic VPN-MAP

crypto map STATIC-VPN-MAP interface outside

!!!Allow ISAKMP prot on outside int.

isakmp enable outside

isakmp identity address

!!!IKE phase 2

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

VPN Group Policies

vpngroup VPN-TECMANT address-pool VPNPOOL

vpngroup VPN-TECMANT dns-server

vpngroup VPN-TECMANT split-tunnel 101

vpngroup VPN-TECMANT idle-time 1800

vpngroup VPN-TECMANT password ********

telnet timeout 5

ssh inside

ssh inside

ssh inside

ssh timeout 60

management-access inside

console timeout 0

!!! DHCP server enable for internal clients

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80


: end

Cisco Employee

Re: Unable to get to internal resources after successfully tunne

You need NAT 0 configuration to bypass NAT for vpn clients.

nat (inside) 0 access-list 110

access-list 110 permit ip

This should solve your IP Reachability issue from the VPN Clients.

Also, I am curious to know why you have this statement in the configuration.

nat (outside) 1 0 0



* Please rate helpful posts *

New Member

Re: Unable to get to internal resources after successfully tunne

Thx a bunch!! Working just fine....


about the nat (outside) 1 0 0 statement... thats a typo.. i forgot to exclude that on the running-config i posted...

Cisco Employee

Re: Unable to get to internal resources after successfully tunne

Thanks for the update and rating.