I have some trouble when I config a pix515 for vpn client. the vpn client can establish with pix and it get a address from pix pool ,but the client can't ping the hosts in the dmz and pix's dmz interface.
the config :
vpn# sh run
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security90
nameif ethernet3 intf3 security6
enable password xxx
access-list 120 permit host 23.x.x.43
access-list 120 permit host 23.x.x.2
access-list acl_dmz permit tcp any any eq telnet
access-list acl_dmz permit icmp any any
access-list 102 permit ip 211.x.x.0 255.255.255.128 192.168.1.0 255.255.255.0
pager lines 24
logging console emergencies
logging monitor emergencies
logging buffered emergencies
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
ip address outside 211.x.x.2xx 255.255.255.248
ip address inside 23.1.x.x.255.248.0
ip address dmz 188.8.131.52xx 255.255.255.128
no ip address intf3
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.1.0-192.168.1.100 mask 255.255.255.0
No wonder you are not able to ping the dmz int from the VPN client. You do not have man dmz commnd in the PIX.
man or management-access command makes an interface accessible for the VPN client Or ipsec tunnel for telnet,snmp etc. without this the interface is never pingable because the traffic is coming from the outside.
It looks like the inside network does not have a router to 192.168.1.0/24 back to the dmz int.
You have mixed and matched the configuration of VPN client with Cisco Secure VPN client (old) with Cisco VPN 3000 Client (new). If you have downloaded the vpn client recently then it has to be Cisco VPN 3000 client.
Please clean the configuration
Sysopt pl-compatible is a dangerous command for IPSEC to be in the configuration. It is for older pix os rather newer 6.3.x it will make the natting part and ASA features of the PIX os useless for the IPSEC traffic. You do not need that.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :