Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client and Pix issue

I have a pix 501 that I am trying to configure for VPN Client access. I am trying to test the following config and it doesn't seem to want to authenticate. I am trying to connect from within the same network just to see if it will authenticate but it will not. I have also tried from work with the same results. Can someone tell me what I am missing? I have looked on many, many websites and can't find an answer. thanks in advance. Following is my config:

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxx encrypted

passwd xxxxxx encrypted

hostname xxxx


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 100 permit tcp any any eq pptp

access-list 100 permit udp any any eq 1701

access-list 100 permit udp any any eq 4500

access-list 100 permit tcp any interface outside eq pptp

access-list 100 permit udp any any eq isakmp

access-list acl_out permit tcp any interface outside eq pptp

access-list acl_out permit gre any interface outside

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0 0

static (inside,outside) tcp interface pptp pptp netmask 0 0

access-group 100 in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp client configuration address-pool local ippool outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn3000-all idle-time 1800

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 default-domain xxxxxxxxxx

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80


Re: VPN Client and Pix issue

Your configuration look a little messy, take a look at the following document on how to configure Client VPN access on a PIX.

The above configuration setup is on a PIX running 6.2(1) but if your PIX is running 6.3+,then I would suggest you enable NAT Traversal (NAT-T) for ISAKMP. To do this do (in config mode) :

isakmp nat-traversal

The above command will help when you initiate a VPN client connection from behind another NAT device.

Also, are you trying to allow PPTP & L2TP too? As you don't have the apporiate configuration configured.

I would suggest that you clean up your configuration and start with one service first i.e. VPN client access and then add any other service you require i.e. PPTP or L2TP - If you need help on this let me know. You can re-set your PIX to factory default by issuing:

(in config mode) configure factory-default

Now you can start afresh.

Hope this helps you.


New Member

Re: VPN Client and Pix issue


Thanks for the response. I went to the website that you had posted. I reset everything back to the defaults and modified the basic config to replicate the config on the website. I then tried to access the vpn via the client but still to no avail. I had to reset my config back to the original so that I can access the vpn for work. I'm still at a loss. I had l2tp and pptp added to my original config just to test other vpn connections but none of them seem to work. It looks like the vpn client is being rejected or the security gateway on the pix is not responding. Any ideas as to what could be causing this issue?

Thanks again for your help,