OK, this one has me puzzled. It has been a while since I configured a PIX for Client VPN access, so I dont know what I am missing. I have done quite a few ASA setups, no problem, but this PIX one has me stumped.
Internal network 192.168.1.0/24, VPN pool 192.168.10.0/24.
NoNat ACL 192.168.1.0/24 192.168.10.0/24
nat (inside) 0 access-list NoNat
VPN ACL 192.168.1.0/24 192.168.10.0/24
vpngroup group split-tunnel VPN
I am connecting OK, authenticating against radius, the route tab on the client shows 192.168.1.0/24, but I cant ping nor remote desktop to anything behind the PIX. I ran debug icmp trace and did not see any traffic either.
The show cry ips sa shows me encrypted and decrypted traffic though, the client only shows encrypted. The client is version 5.0.03.0560, PIX OS is 6.3(5)
I should note I tried this from both an XP machine and a Macbook. Same results.
That's not a problem, the default gateway for everything is the PIX. Further troubleshooting has led me to show crypto map command to verify that the dynamic ACL is working, and I found something interesting. The ACL for no nat does not appear.
access-list dynacl18; 1 elements
access-list dynacl18 line 1 permit ip any host 192.168.10.1 (hitcnt=172)
I am not seeing
access-list dynacl17; 1 elements
access-list dynacl17 line 1 permit ip host (outside IP) host 192.168.10.1
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...