Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Client to Site VPN please help


Please help me in configuring VPN.Below mentioned are the details.

I have been recently handed the responsibilty of maintaining the CISCO PIX 515E in my organisation.

I need to configure a client to site VPN for the following parameters:

UDP 500 must be open in both inbound and outbond directions

IP protocol 50(esp) must be in both inbound and outbound directions.

UDP 10001

I have managed to configure the following in the firewall

object-group service UDP_VPN udp

port-object range 500 500

port-object range 10001 10001

object-group network EXT_Client_Servers ------These are the client server IPs

network-object 12.x.x.x

network-object 12.x.x.x

object-group network INT_LAN_Grp --------These are the internal LAN members who need to connect to the client servers.

network-object 192.168.x.x

network-object 192.168.x.x

access-list inside_access_in permit udp object-group INT_LAN_Grp object-group EXT_Client_Servers object-group UDP_VPN log

My questions are

1) Is the above configuration correct?

1) How do I incorporate ESP for the above?

2) Should the internal LAN IPs be NATed to public IP.Also should this be a one-to-one translation?

2) How should I enable traffic on the above ports for inbound direction?

Thanks in advance,



Re: Client to Site VPN please help

You don’t mention which version of PIX OS your running, but here are documents that should resolve your problem:

VPN Client access with RADIUS authentication:

PIX OS v7+ VPN Client access document:

I would recommend if you have a large amount of VPN Client users to use an internal authentication server for tighter security i.e. RADIUS authentication for your remote clients.

Let me know if the above helps you or need further help. Please rate post if it helps as other might also be looking for similar documents/answers.


Re: Client to Site VPN please help

mmm ... good luck ... Are you saying that you require a LAN to LAN vpn .. or a remote VPN where clients connect using cisco vpn client to the 'head office'. If remote connection is the case .. then I suggest you to use the GUI provided by PDM. I will be easier in your situation follwoing the wizard and allowing the access you require ... If you are not too familiar with this I can help you as well if you post your config I can edit it according to what you need.

In any case this is anotehr link you could have a look

I hope it helps !!!

CreatePlease to create content