Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn client to access the server located outside of pix

Hi NetPros,

I have a typical setup,

Server(at UK)---India end Router---Pix---Lan.

UK end and India Router connecting via IPSec tunnel over internet.

My Lan (inside pix) user are able to access internet as well as UK Server.

We want ppl at internet to access the UK based server. For that we configured the pix for vpn-client.

tunnel is getting established and we are able to ping from vpn client to LAN and vice versa.

Now problem is that traffic for UK server from vpn client not going out from pix firewall or

it is getting droped between pix and router.

when i did debug icmp trace at pix,I could see the request is reaching for uk server till pix but

further it is not being forwarded.

Any help would be highly appriciated.



Cisco Employee

Re: vpn client to access the server located outside of pix

The PIX, by default (and not at all in earlier versions), won't route a packet back out the same interface it came in on.

First off, you will have to upgrade the PIX to v7.x, I would probably recommend the latest 7.0 or 7.1 code available here:

Then add the following command to the config:

same-security-traffic intra-interface

See for details. Because the VPN client traffic will have a source address of your address-pool, which will be a private address pool, you have to NAT this traffic as it goes in and out the outside interface. You do this with the rather unique config as follows:

nat (outside) 20

global (outside) 20 interface

Note how both statements refer to the outside interface, this is because traffic comes in and goes out that interface. After that you should be good to go.

New Member

Re: vpn client to access the server located outside of pix

Thanks for the reply,

I m having pix 506E with version of 6.3. what i understand is 506E cant be upgraded to 7.0. Pls revert if this is wrong.

So, is there any solution available for 506E ?



CreatePlease login to create content