Cisco Support Community
Community Member

VPN client to PIX.......Cannot access inside hosts

Hi all

I have a cisco PIX515 running 6.1(4) acting as a VPN server. Tunnel comes up fine, Vpn client (3.5) recieves ip address from the pool. After that I cannot access any machines from client to the inside network.

I ran packet analyzer on the inside and saw ping packets hitting the inside servers from client and these servers are sending these packets back. I also ran icmp trace on the inside interface of the PIX and saw returning ICMP packets. Some how these packets are blocked by pix.

IPSEC and ISAKMP debugs show decrypted packets and VPN client shows encrypted packets. Some how packets are not getting encrypted and are not coming back to the vpn client.

Here is a copy of my configuration

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password A2J7TJNJsnIJJ74R encrypted

passwd A2J7TJNJsnIJJ74R encrypted

hostname pakpix


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list 100 permit tcp any host eq 32970

access-list 100 permit tcp any host eq 32970

access-list 100 permit tcp any host eq sqlnet

access-list 100 permit tcp any host eq 32970

access-list 100 permit tcp any host eq www

access-list 100 permit tcp any host eq 5905

access-list 100 permit tcp any host eq www

access-list 111 permit ip

access-list 200 permit ip

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside

ip address inside

ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnclient

pdm history enable

arp timeout 14400

global (outside) 100

nat (inside) 0 access-list 111

nat (inside) 100 0 0

static (inside,outside) netmask 100 1000

static (inside,outside) netmask 100 1000

static (inside,outside) netmask 100 1000

access-group 100 in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set verioset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set verioset

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

crypto map clientmap interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp client configuration address-pool local vpnclient outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool vpnclient

vpngroup vpn3000 dns-server

vpngroup vpn3000 default-domain

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet inside

telnet timeout 5

terminal width 80


: end


Re: VPN client to PIX.......Cannot access inside hosts

I could not find a route inside command in the PIX configuration provided by you. Considering that you are using a 515, I am assuming that your network is reasonably large and there is probably a router behind the PIX (on the inside). If that indeed is true, inserting the missing route commands to the inside networks might solve your problem.

CreatePlease to create content