(Username section and external ips omitted in sake of paranoia)
For remote client i use cisco vpn client 5.0.07
Clients can connect just fine, but can't ping office-dmz interface (which i expect should be possible) and pix cant ping remote client (printing "?" - unknown packet type), besides when i see stats on client there is 100 byte increase in recieved traffic for every ping from PIX.
Also for connected client created strange, in my opinion, route:
S 192.168.104.100 255.255.255.255 [1/0] via yyy.yyy.yyy.yyy, outside (yyy - is default gteway)
When in my opinion it should be like 192.168.104.100 is directly connected, Virtual1234
So the question is is my problem related to ACLs? (can't ping)
Or is it IPSec related? (Unknown packet type may mean that something wrong with decrypting echo_replies on PIX)
Or is in a routing problem? (Strange route to client)
Or is there something else that i'm missing complitly?
Yes client succesfully establishes connection to PIX and i can't see any errors or warns in debug level logs of a client.
Yeah. i know that) access lists created right now is for disabling nat for client network (dmz-no-acl) and creating split tunneling for client (split-office-dmz) so not appling them to interfaces was a desighn feature) I did not really knoww is pix working on basis "everything that is not restricted is allowed" (and than acls is not a problem here) or "everything that is not allowed is restricted" (and than i simply need to add permitting acls)
policy 65535 was added accordingly to one of the tutorials as "default policy for other cases" but clients never actualy fallthrough to that policy. And besides i've tried to remove it just in case - no luck.
problem with routes is not that address space is shared and there is some conflict. There is logical gap for me because PIX creates next-hop route via it's default gateway for address of a remote client. I can't see any logic here because every vpn client is directly connected to PIX via Virtual interface dedicated to that tunnel.
by default all traffic is denied on PIX so you need to create and apply appropriate ACL's to permit traffic. Next what I would try is to ping from PC to PC not directly from PIX to PC. Or you can use extended ping and specify source interface. Or you can try packet-tracer.
Also please check logs regarding your ping if you see some bulit outbound connection...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...