https://community.cisco.com/t5/network-security/vpn-client-access-list-problem/m-p/395411#M1059634 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I've resolved... I didn't see this "FEATURE":</P><P></P><P>ipsec pl-compatible</P><P> </P><P>Enable IPSec packets to bypass the PIX Firewall unit's NAT and ASA features and allows incoming IPSec packets to terminate on the inside interface. </P><P></P><P>Now it works...</P><P></P><P>Thanks</P><P>Antonello</P></BODY></HTML> Sat, 20 Nov 2004 15:23:37 GMT antonello.i 2004-11-20T15:23:37Z https://community.cisco.com/t5/network-security/vpn-client-access-list-problem/m-p/395410#M1059630 <P>Hi,</P><P>In my company I've a cisco pix 515 running 6.3(4), i've three interface but</P><P>i'm using only two of them.</P><P>On the inside network card I've two vlan, one for the inside networks (wks and internal</P><P>server) and one for dmz (mail, web... servers). The outside card is a "point to point" with</P><P>my border router.</P><P>From outside address to another firewall I've configured a normal ipsec tunnel and everything</P><P>works fine.</P><P></P><P>Now I'm introducing a vpn client service with cisco Vpn Client (ver. 4.x).</P><P>As radius I've a Windows Internet Authentication Service (IAS) on the internal network that</P><P>guarantees access to authenticated users.</P><P>After authentication the pix receives from the radius (via Cisco-Av-Pair attribute acl=xxxx) the access-list name to assign to the client users.</P><P></P><P>Everything seems to work fine: users authentication works -&gt; client cisco receives split-tunnel rules from pix -&gt; pix receives acl name from radius.</P><P></P><P>THE PROBLEM IS: the access-list I've assigned to the client don't match any packet and the client</P><P>can go on everything ip on my inside networks (compatibly with split-tunnel rules) !!!!</P><P></P><P>I've tried to put a "deny ip any any" on the inside network but it doesn't work, packets pass however...</P><P>I've a nat 0 on the inside interface, but the policies are corrects.</P><P>Seems like that the pix considers only the split-tunnels rules and not the access-list, also</P><P>I've tried to specify a fake access-list in the cisco-av-pair attibute but I've reported</P><P>the same results... packets passes</P><P></P><P>I've a similar configuration on another fw that runs 6.3(1) versions, on this pix everything works!</P><P></P><P>Any ideas?</P><P></P><P>Thanks in advance and sorry for my bad english.</P><P></P><P>Antonello I.</P><P></P> Fri, 21 Feb 2020 07:45:35 GMT https://community.cisco.com/t5/network-security/vpn-client-access-list-problem/m-p/395410#M1059630 antonello.i 2020-02-21T07:45:35Z https://community.cisco.com/t5/network-security/vpn-client-access-list-problem/m-p/395411#M1059634 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I've resolved... I didn't see this "FEATURE":</P><P></P><P>ipsec pl-compatible</P><P> </P><P>Enable IPSec packets to bypass the PIX Firewall unit's NAT and ASA features and allows incoming IPSec packets to terminate on the inside interface. </P><P></P><P>Now it works...</P><P></P><P>Thanks</P><P>Antonello</P></BODY></HTML> Sat, 20 Nov 2004 15:23:37 GMT https://community.cisco.com/t5/network-security/vpn-client-access-list-problem/m-p/395411#M1059634 antonello.i 2004-11-20T15:23:37Z