Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn-client cant ping the lan behind pix


i can not get my vpnclient ping the lan...

my vpn client is able to establish the vpn with pix ,

an ip is assigned to the client from the lan range...

when i try to ping the lan ,

i see packets get to pix with debug icmp trace,

i see the encrypt packet # increases int the vpn client stats,..

and on pix when i check

sh crypto ipsec sa, i see exactly the same # of packets as decrypted,

but the # of decrypted packets on vpn client, and so the number of encrypted packets on pix stays 0...

i configured nat 0 , and i see the access-lists take hits...

but in

sh crypto map output

i see the dynamic acl created does not take hits...


when i do

ping outside [vpn client ip] ,i can ping ????

and the dynamic acl gets hits, and i see the decrypted stats increase in vpn client...

am i missing sthg here ???


Cisco Employee

Re: vpn-client cant ping the lan behind pix

Does the internal host you're trying to ping have a route to the pool of addresses, and does this route eventually point back to the PIX (if the default gateway of this internal host is the PIX then that should be sufficient). If the number of encrypted packets on the PIX is staying at 0, then this indicates that the PIX is not seeing the reply from the internal host (check routing as I mentioned), or your nat 0 is incorrect.

Can you post the config, making sure to xxxx out your passwords and external IP addresses?