Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

I have a very very hard problem,Please help me!

I can connect to the PIX and the VPN client PC can receive the settings from the PIX firewall, however I am unable to see and ping the local LAN.

Network Diagram

vpn client-----(Internet)------pix---168.x.x.x

Below is the config, am I missing a route or an access-list?

All help gratefully appreciated.

: Saved


PIX Version 7.0(4)12


hostname pixfirewall


interface Ethernet0

nameif outside

security-level 0

ip address standby


interface Ethernet1

nameif inside

security-level 100

ip address standby


same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip

access-list outside_cryptomap_dyn_20 extended permit ip

access-list outside_cryptomap_dyn_20 extended permit ip any

access-list Outside_access_in extended permit icmp any any

access-list splittunnel standard permit

ip local pool hpcisco mask


icmp permit any outside

icmp permit any inside


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group Outside_access_in in interface outside

route outside 1

group-policy hpcisco internal

group-policy hpcisco attributes

vpn-idle-timeout 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

http server enable

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

tunnel-group hpcisco type ipsec-ra

tunnel-group hpcisco general-attributes

address-pool hpcisco

default-group-policy hpcisco

tunnel-group hpcisco ipsec-attributes

pre-shared-key *



: end

Community Member

Re: I have a very very hard problem,Please help me!

hi there i can solve ur problem.u have not assigned the

vpn-address-assign local

this command is required to tell that the vpn clients will be assigned addresess locally. plus pls check in ur policy map with the command

sh run policy-map global_policy

whether u have enabled inspection for icmp.

pls also check with this command

sh sysopt

it should show u

sysopt connection permit-ipsec

thsi has to be there for avoiding the crypto acl check on the outside for the vpn clients .

tell whether this has helped u . waiting for ur reply.



Community Member

Re: I have a very very hard problem,Please help me!

1、 I haven't enabled inspection for icmp

Result of the command: "sh run policy-map global_policy"


policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


2、Result of the command: "show run syso"

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec

3、I don't understand vpn-address-assign local

Result of the command: "show running-config all vpn-addr-assign"

vpn-addr-assign aaa

vpn-addr-assign dhcp

vpn-addr-assign local

Community Member

Re: I have a very very hard problem,Please help me!

Can you still help me,thanks.

Community Member

Re: I have a very very hard problem,Please help me!

You've probably solved this already by now, but version 7 needs an access list permiting inside traffic out.

eaccess-list inside_out permit ip any any

access-group inside_out in interface inside

Cheers Tony

CreatePlease to create content