Cisco Support Community
Community Member

Win clients cannot see network after Site to Site VPN config


Perhaps some expert can give me a pointer here.I have had some recent reconfigurations to allow a Site to Site VPN. The site to site and internet connectivity works fine from both peers, however remote window clients can connect but no longer access the network.

The remote client connects and a correct IP from the pptp pool appears in the windows routing table and the client can ping this IP but no further. When the client attempts to map a network drive he gets error ‘Network name cannot be found’

While the client is connected this IP doesn’t appear during internal (network side), IP scans and cannot be pinged internally.

Here is most of my my config:

: Saved

: Written by enable_15 at 03:23:44.389 CST Wed Feb 18 2004

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 6xxx encrypted

passwd xxxxxxxxxxxxx encrypted

hostname PIX515


clock timezone PST -6

clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

access-list acl_out permit tcp host any eq 30000

access-list vpn permit ip

access-list nonat permit ip

pager lines 24

logging on

logging trap emergencies

logging device-id hostname

logging host inside

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-pool

pdm location inside

logging alerts 100


global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

static (inside,outside) tcp interface 30000 3389 netmask 0 0

static (inside,outside) tcp interface 30001 3389 netmask 0 0

static (inside,outside) tcp interface 30002 3389 netmask 0 0

access-group acl_out in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address vpn

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key <deleted> adddress netmask no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

management-access inside

console timeout 10

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 client configuration dns

vpdn group 1 client configuration wins

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username test password xxxxxxxxxxxxx

<This is not used and will be removed>

vpdn enable outside

vpnclient server

vpnclient mode network-extension-mode

vpnclient vpngroup QWERTY password xxxxxxxxx

terminal width 80

: end


Re: Win clients cannot see network after Site to Site VPN config

you ip local pool is the same as your inside subnet, which will not work. change the ip local pool to (because it appears that is what is used on the other side of the site to site tunnel, correct?).

then add

access-list nonat permit ip

to that the pptp users will not have their return traffic natted to them.

Community Member

Re: Win clients cannot see network after Site to Site VPN config

Thanks you worked the charm, there is nothing like that in my PIX book!

CreatePlease to create content