Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot Ping inside network

Hi,

I need help with a PIX 501 configuration. Problem is i cannot ping inside network using client VPN.Client VPN version that i am using is 5.0. Attached file is my configuration.Thanks in advance.

Regards,

Christian

5 REPLIES
Green

Re: Cannot Ping inside network

no access-list test permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0

isakmp nat-traversal

Cisco Employee

Re: Cannot Ping inside network

Hi Adam,

Just curious why the above access-list needs to be removed? Is it not the NAT 0 ACL for the L2L Traffic.

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer x.x.x.x

access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0

Regards,

Arul

Green

Re: Cannot Ping inside network

Oops, my mistake, I stand corrected.

Cisco Employee

Re: Cannot Ping inside network

Hi Chris,

After you add this command "isakmp nat-traversal" as per Adam's suggestion and still have issues with connectivity from the VPN Client to the Pix Firewall, can you post the outputs of

Show cry is sa

Show cry ips sa

along with the Destination IP Address that you are trying to access.

Thanks,

Arul

*Pls rate if it helps*

New Member

Re: Cannot Ping inside network

Thanks so much for your time. I have solve the problem. I added several commands.

name 10.1.2.0 client

access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list NoNAT permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list NoNAT permit ip 10.1.1.0 255.255.255.0 client 255.255.255.0

access-list in_outside permit icmp any any

access-list outside_cryptomap_dyn_20 permit ip any client 255.255.255.0

crypto ipsec transform-set CSB esp-des esp-md5-hmac

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 match address outside_cryptomap_dyn_20

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

126
Views
0
Helpful
5
Replies