Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Easy VPN PIX 501 > ASA5505

So, I have an ASA 5505 at one office, with the ability to do a clientless, or anyconnect into it.  I also have a windows 2008 server which will allow me to PPTP, L2TP, or SSTP into it. 

My Goal: In my pursuite of understanding VPNs more I would like to setup a PIX 501 at a remote location, and when I plug a user into it, I would like it to be as if Im plugged into my office network switch.

I followed this article in regards to the pix setup for the client:

And, for the ASA easy VPN Server I used the wizzard.

Here is a summary of the config files:

  • Before i issue the vpnvlient enable command, all users on the PIX are able to communicate to the internet.
  • They are even able to establish clientless ssl VPN connections to the office.
  • As soon as I did 'vpnclient enable' on the PIX, my test user lost inet connectivity also this user is not able to view office resources

A little about the network in general:

  • Office = ISP > ASA( > SWITCH > Servers
  • REMOTE = ISP > PIX 501( > User
Super Bronze

Re: Easy VPN PIX 501 > ASA5505


I configured a few PIX501 firewalls as NEM clients for one of our customers few years ago, so abit rusty.

I think you need to have the username/password configuration on the PIX501 also.

vpnclient username password

The ASA5505 might also need some configurations under its group-policy. Not 100% sure about this as our IOS VPN devices VPN profile configurations look abit different.

group-policy attributes

  password-storage enable

  nem enable

Also to be able to use the Internet through the VPN connection you need NAT configurations on the ASA5505 so the PIX501 users can use the ASA5505 outside interface IP as the PAT address for traffic destined to Internet.

Looking at your NAT exempt configuration for the VPN, I would personally use the real network address range as the source instead of using any.

- Jouni

New Member

Re: Easy VPN PIX 501 > ASA5505

Getting closer,

I keep my connection to the 172.16.0/24 network, but I am no longer able to reach the 10.100.60, 192.168.0, or public inet.

on the ASA side, I have listed these networks in the exclude ACL

Here is an updated ASA config:


IPv4 Route Table


Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

    100         On-link    306         On-link    306         On-link    306         On-link    306         On-link    306         On-link    306         On-link    306         On-link    306         On-link    306         On-link    306


FW(config)# show isakmp sa

Total     : 1

Embryonic : 0

        dst               src        state     pending     created    OAK_CONF_VPNC   0           0

FW(config)# show ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, local addr.

   local  ident (addr/mask/prot/port): (

   remote ident (addr/mask/prot/port): (


     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.:, remote crypto endpt.:

     path mtu 1500, ipsec overhead 0, media mtu 1500

     current outbound spi: 0

FW(config)# sh run | i vpn

vpnclient server

vpnclient mode network-extension-mode

vpnclient vpngroup securesub_evpn password ********

vpnclient username **** password ********

vpnclient enable

Easy VPN PIX 501 > ASA5505

Hi Daniel,

On the Headend ASA evpn config...

group-policy securesub_evpn attributes

dns-server value

vpn-tunnel-protocol ikev1

split-tunnel-policy excludespecified

split-tunnel-network-list value BAH-PKI-LAB

Change the "split-tunnel-policy excludespecified" to "split-tunnel-policy tunnelspecified"  and test. This might help.