Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN client troubles

Hi all

I have troubles with a PIX 515-E VPN config. The PIX does a site to site VPN with another PIX which works fine. I have to add a dialin VPN for mobile workers. My configuration shows like below. I can dialin using the VPN Client V 4.0.1 and I receive an IP address ( The Radius Authentication works fine. The only problem is that there is no back traffic to the VPN client. The statistics show me a number of bytes sent but 0 bytes received. When i delete the access-list ACLVPNTAG permit ip host then i receive bytes but only ISAKMP Informational packets. The packets sent from the mobile worker's machine get to the destination machine (something in /22). Has anyone a idea?

Thanks very much

Regards Patrik

when access-list ACLVPNTAG permit ip host is deleted:

access-list dynacl16 turbo-configured; 1 elements

access-list dynacl16 line 1 permit ip any host (hitcnt=2)

when access-list ACLVPNTAG permit ip host is present:

access-list dynacl14 turbo-configured; 1 elements

access-list dynacl14 line 1 permit ip any host (hitcnt=0)

current config: --> site to site (operational), client to site (not operational)

access-list in2any permit ip

access-list ACLVPNTAG permit ip log

access-list ACLVPNTAG permit ip host

access-list ACLVPNTAG permit ip host

access-list ACLVPNTAG permit ip host

ip local pool DIALIN

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list ACLVPNTAG

nat (inside) 1 0 0

nat (dmz) 1 0 0

access-group out2any in interface outside

access-group in2any in interface inside

access-group dmz2any in interface dmz

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host xxxxx timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set TRANSVPNTAG esp-aes esp-md5-hmac

crypto ipsec transform-set TRANSDIALIN esp-des esp-md5-hmac

crypto dynamic-map DYNDIALIN 10 set transform-set TRANSDIALIN

crypto map CMAPVPNTAG 1 ipsec-isakmp

crypto map CMAPVPNTAG 1 match address ACLVPNTAG

crypto map CMAPVPNTAG 1 set peer x.x.x.x

crypto map CMAPVPNTAG 1 set transform-set TRANSVPNTAG

crypto map CMAPVPNTAG 10 ipsec-isakmp dynamic DYNDIALIN

crypto map CMAPVPNTAG client authentication partnerauth

crypto map CMAPVPNTAG interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool DIALIN

vpngroup vpn3000 dns-server

vpngroup vpn3000 wins-server

vpngroup vpn3000 default-domain

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********


Re: VPN client troubles

try enable nat-traversal

isakmp nat-traversal

Community Member

Re: VPN client troubles


I added the isakmp nat-traversal, but it's still the same. Can it be that there is a problem due to the existing site to site VPN? I made a test configuration with a lab pix before which worked properly. The difference was that there was no site to site VPN and no ACL on the inside interface.


Regards Patrik

CreatePlease to create content