Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX VPN Question

All,  I am trying to setup a very basic VPN solution with my PIX 515 version 6.3 at home.  As of right now I can successfully connect from the client and can pass traffic through the VPN to inside hosts (i.e. ping), and the hosts respond (both directions verified using "debug ip trace" on the PIX), but the remote client isn't receiving the return traffic (verified using wireshark on the client).  The hosts on the internal network all see the MAC address for my remote client's VPN obtained IP as the MAC of the inside interface of the PIX itself (makes sense).

My setup right now is VERY basic - one network on the outside interface of the PIX where my client is, and one network on the inside where my home network is.  I will add routing to outside stuff later once I get basic VPN connectivity established. 

My subnets are as follows:

Outside -

Inside -

I know I am probably missing something very simple, but I am having issues finding it.  Any assistance would be greately appreciated.  Below is my complete config.

Thanks in advance.



PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname HAL2000PIX

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 101 permit ip

pager lines 24

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool1

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 101

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup HAL2000VPN address-pool vpnpool1

vpngroup HAL2000VPN dns-server

vpngroup HAL2000VPN default-domain

vpngroup HAL2000VPN split-tunnel 101

vpngroup HAL2000VPN idle-time 1800

vpngroup HAL2000VPN password ********

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80


PIX VPN Question

New Member

PIX VPN Question

I figured out what I was doing wrong, but I am not 100% sure what the issue is.  I had the VPN DHCP pool on the same subnet as the inside interface of the PIX (not a separate subnet).  Once I changed the subnet to something different (same as the configuration guide) and added static routes on the hosts to the VPN-DHCP pool via the inside interface of the PIX, everything worked. 

Is it not possible to have VPN clients on the same subnet as hosts and the inside PIX interface?  Quick disclaimer, I am a R&S guy

Thanks for your help.


PIX VPN Question

You should not use same IPs assigned for your VPN pool. This way VPN will connect but you wont get access for internal resources.



New Member

PIX VPN Question

Yeah, I see that, but honestly don't know enough about the PIX to know why that is a "rule"

PIX VPN Question


I would not say this is a PIX rule, it is more like a security approach to set up a remote client VPN on the best possible way.



Julio Carvajal
Senior Network Security and Core Specialist
CreatePlease login to create content