I am using pix 7.0 and vpn client 4.8 .
I can connect with the pix outside (184.108.40.206).but the vpn client I can't see the subnet of the pix inside (168.x.x.0).VPN client can't access internal subnet .Please help
pixfirewall(config)# show run
PIX Version 7.0(4)12
ip address isp_addr 255.255.255.192 standby isp_addr
ip address 168.x.x.x.255.255.0 standby 220.127.116.11
access-list inside_nat0_outbound extended permit ip any 172.16.16.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 172.16.16.0 255.255.255.0
ip local pool hpcisco 172.16.16.1-172.16.16.254 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 168.x.x.x.255.255.0
route outside 0.0.0.0 0.0.0.0 isp 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group hpcisco type ipsec-ra
tunnel-group hpcisco general-attributes
tunnel-group hpcisco ipsec-attributes
have you enabled nat traversal ..? If you are behind a device doing NAT the you need to enabled this feature
isakmp nat-traversal 30
thanks,Result of the command: "show running-config sysopt"
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
sysopt connection permit-ipsec
Can you please add the following access list and apply it to the Internal interface
access-list Inside_out extended permit ip any
access-group Inside_out in interface Inside
I had added the access-list,but showing access-list
indicat hitcnt=0,as following.thanks!
access-list Inside_out; 1 elements
access-list Inside_out line 1 extended permit ip any 172.16.16.0 255.255.255.0 (hitcnt=0)
Does your inside router know what to do with 172.16.16.0? You may have to add a static route to it:
ip route 172.16.16.0 255.255.255.0 168.x.x.x (where 168.x.x.x is the inside address of the pix).
can you change your access-list configuration
access-list outside_cryptomap_dyn_20 extended permit ip 168.50.x.x 255.255.255.0 172.16.16.0 255.255.255.0
I hope that the problem is solved by now. In case if it is not could you paste the complete configuration please. Probably an attachment.
There could be many posibilities for the VPN client not to communicate. With 7.0 I have limited experience however, conceptually it is not very different from 6.x.
Please paste the complete configuration.
Connect with the VPN client.
Ping somthing on the inside.
Check the encryption, decryption status on the Client.
Check the sh cry ipsec sa and note the decryption counter. If you see somethin here that means you received what Client had sent.
Then check if you are (PIX) is encrypting something.