I have made all changes and still no go. I have attached changed configuration and show crypto outputs.

Thank you for your time,

Andrew J.

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password .ABD9i6qlUz8g0bD encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_outbound_nat0_acl permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside *.*.*.4 255.255.255.0

ip address inside 10.0.1.7 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool SackettRemote 192.168.1.1-192.168.1.254

pdm location 10.0.1.0 255.255.255.0 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 10.0.1.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 63.174.221.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup SackettWarriors address-pool SackettRemote

vpngroup SackettWarriors wins-server 10.0.1.1

vpngroup SackettWarriors idle-time 1800

vpngroup SackettWarriors password ********

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:dc20fd92e519c092f65a1cb36043ab9f

: end

[OK]

Details for 0.0.0.0/0.0.0.0/0/0 192.168.1.1/255.255.255.255/0/0 at Sat May 03 14:56:30 CDT 2003

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)

current_peer: 68.72.174.119

dynamic allocated peer ip: 192.168.1.1

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#pkts no sa (send) 0, #pkts invalid sa (rcv) 0

#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

##pkts replay failed (rcv): 0

#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 63.174.221.4, remote crypto endpt.: 68.72.174.119

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 7f2a374d

inbound esp sas:

spi: 0x41f1cbf6(1106365430)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4607999/27968)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x7f2a374d(2133473101)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4608000/27968)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Details for *.*.*.4/255.255.255.255/0/0 192.168.1.1/255.255.255.255/0/0 at Sat May 03 14:58:16 CDT 2003

local ident (addr/mask/prot/port): ( *.*.*.4/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)

current_peer: 68.72.174.119

dynamic allocated peer ip: 192.168.1.1

PERMIT, flags={}

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3

#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#pkts no sa (send) 0, #pkts invalid sa (rcv) 0

#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

##pkts replay failed (rcv): 0

#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 63.174.221.4, remote crypto endpt.: 68.72.174.119

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 92abd1be

inbound esp sas:

spi: 0xe53ee5e(240381534)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4607999/27512)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x92abd1be(2460733886)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4607999/27512)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Andrew,

Based upon the "Show crypto ipsec sa", looks like you are able to successfully make a IPSEC Connection from the VPN Client to the Pix 501 but not able to pass traffic.

If 68.72.174.119 was the Public IP Address of the client, I see Decrypts on the IPSEC SA and but Encrypts. This basically means, the Pix 501 is receiving traffic from the client but is not able to send it back for some reason.

1. After successfully connecting to the Pix501 with the VPN Client, What IP Address did you try to access.

2. Does the IP Address know how to get back to the Pix501.

3. Also, do a clear xlate and see if that makes a difference.

I hope it helps.

Regards,

Arul

I’m using Cisco VPN client 3.6. I was thinking it supports all required protocols. Is it true ?

Thanks,

AJ

ajachowicz,

Did you ever resolve this problem?

I've run into a very similar situation and was wondering if you'd come up with a working solution.

Thanks!

No it the version you may using may not support the same combination of phase 1 security policy.

Upgrade to latest version. However, to do a simple test add another policy with lower security and try again. If this works than you current version does not support the SA phase 1 you set.

Let me know if this works,

try these policies for example,

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 28800

let me know if works,