Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3.03a client connectivity

Working with a PIX 515 6.0 3des and using vpn 3.03a client - I have two issues - one regarding installation of the client and problems with the DNE miniport. I have tried successfully installing on a compaq desktop with win2k but unsuccessfully on 3 different OEM laptops with W2K. I keep getting the error that the VPN sub-system is unavailable. I checked the bugs and it is documented but have been unable to get the workaround to fix the issue.

The other issue is connectivity to the internal network. From the desktop machine I can establish the IPSec tunnel to the pix but cannot access anything on the internal network. Following is my config - (I'm still pretty new at the firewall). Suggestions or fixes - pease advise.

PIX Version 6.0(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security20

nameif ethernet3 inside2 security80

nameif ethernet4 extranet security30

nameif ethernet5 dmz2 security40

.hostname citypix


access-list acl_out permit tcp any host eq smtp

access-list acl_out permit tcp any host eq smtp

access-list acl_out permit tcp any host eq www

access-list acl_out permit tcp any host eq ftp

access-list acl_out permit icmp any any

access-list acl_out permit tcp host any eq www

access-list acl_dmz permit icmp any any

access-list acl_dmz permit ip any any

access-list 192 permit ip

access-list acl_inside2 permit icmp any any

access-list acl_inside2 permit ip any any

logging on

logging buffered debugging

logging trap debugging

logging history debugging

logging facility 16

logging host inside

interface ethernet0 10baset

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 10baset

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu inside2 1500

mtu extranet 1500

mtu dmz2 1500

ip address outside

ip address inside

ip address dmz

ip address inside2

ip addres extranet

ip address dmz2

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnusers

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list 192

nat (inside) 1 0 0

nat (inside2) 0 access-list 192

nat (extranet) 1 0 0

alias (extranet)

static (dmz,outside) netmask 0 0

static (dmz,outside) netmask 0 0

static (dmz,outside) netmask 0 0

static (inside,dmz) netmask 0 0

static (inside,inside2) netmask 0 0

access-group acl_out in interface outside

access-group acl_dmz in interface dmz

access-group acl_inside2 in interface inside2

route outside 1

route inside 1

timeout xlate 3:00:00

timeout conn 10:00:00 half-closed 0:10:00 udp 0:15:00 rpc 4:00:00 h323 0:05:00 s

ip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

sysopt connection permit-ipsec

sysopt connection pl-compatible

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 4 set transform-set myset

crypto map vpn 10 ipsec-isakmp dynamic dynmap

crypto map vpn client configuration address initiate

crypto map vpn client configuration address respond

crypto map vpn interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup support address-pool vpnusers

vpngroup support dns-server

vpngroup support wins-server

vpngroup support default-domain

vpngroup support split-tunnel 192

vpngroup support idle-time 1800

telnet timeout 5

ssh timeout 5

terminal width 80



New Member

Re: VPN 3.03a client connectivity

I think you’re going to need to troubleshoot both of those problems with Cisco’s tac. The config looks okay at a glance.