Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN client and 501

OK I give up! Help

My vpn client 4.0.5 is not connect to the network. I'm using ISA and radius to authenticate. However client is not connecting. So the setup is ISP---Pix---ISA/Exchange/file server (windows 2000)

Here is the 501 config.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxx

hostname pixfirewall

domain-name hshd.loc

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol http 80

fixup protocol smtp 25

fixup protocol ftp 21

no fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol skinny 2000

no fixup protocol sqlnet 1521


access-list outbound permit ip any

access-list outside_cryptomap_dyn_20 permit ip any

pager lines 24

logging on

logging timestamp

logging trap errors

logging host inside

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any echo inside

mtu outside 1500

mtu inside 1500

ip address outside 69.x.x.x.x.255.248

ip address inside

multicast interface outside

multicast interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool hshd

pdm location inside

pdm logging errors 100

pdm history enable

arp timeout 14400

global (outside) 1

nat (inside) 0 access-list outbound

nat (inside) 1 0 0

conduit permit icmp any any

route outside 0.x.x.x.x.120.27 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip

0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host XXXXXXX timeout 10

ntp server source inside

http server enable

http inside

no snmp-server location

no snmp-server contact

no snmp-server enable traps

tftp-server inside \ciscosystems\pix

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication inside

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup HSHD address-pool hshd

vpngroup HSHD dns-server

vpngroup HSHD default-domain hshd.hom

vpngroup HSHD idle-time 1800

vpngroup HSHD password ********

telnet inside

telnet timeout 5

ssh timeout 5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Any help or thoughts would be welcome. Concerns is that network subnet may not proper for nat .192-.224




Re: VPN client and 501


First off What is the actual problem is it the client isn't connecting or is there a problem with authentication.

Here are the steps I would take to troubleshoot your problems.

First change your Authentication to using local user accounts on your PIX temporarily or set it up to fallback to the pix for authentication. Then create an identical user account on the pix with a different password try to login using the first password on your server if no go then try using the second password. If it connects then you know your vpn setup is right just your aaa is haveing a problem.

config example:

crypto map outside_map client authentication inside local

aaa-server LOCAL protocol local

username someone password somewhere

PS, Turn you logging setting in your vpn client to high for isakmp ipsec to discovery problems with your actual vpn configuration.



Community Member

Re: VPN client and 501

What OS is the client installed on? If its XP SP2 you have to have 4.6 or better.

Re: VPN client and 501


it will be worth to look at the explanations and configurations given in: "Configuring IPSec Between Two PIXes With VPN Client 4.x Access"

Just skip the commented configuration part for PIX-to-PIX communication. Another document which can help you is: "How to Configure the Cisco VPN Client to PIX with AES" found at

For troubleshooting purposes have a look at:

"Resolving Microsoft Routing Problems on Cisco VPN Clients"


"Troubleshooting Microsoft Network Neighborhood After Establishing a VPN Tunnel With the Cisco VPN Client" at

Hope this helps! Please rate all posts.

Regards, Martin

Re: VPN client and 501

Dear Bill

please see the url

Secondly, if all is correct you have to cofigure teh pix with the following command accourding to your configuration

crypto map outside_map client authentication RADIUS

Finnaly you have to also configure the ACS/RADIUS for external user database as windows 2000 server.

HTH also please free to buzz on

CreatePlease to create content