https://community.cisco.com/t5/network-security/a-strange-problem-pix-501/m-p/422257#M558599 <HTML><HEAD></HEAD><BODY><P>Seems like you have some routing problems.</P><P></P><P>The VPN Clients should use a separate Network Range that is diffrent from the inside network. As the netmask is choosen by the Class of network it is best to use a Class C network.</P><P></P><P>For example: 192.168.1.0 / 24 for the inside network</P><P>and 192.168.2.0 /24 for the VPN Pool. </P><P></P><P>Probably a few of this commands as "isakmp nat-traversal" will not work as this was added in the PIX OS 6.3.x code.</P><P></P><P>Config example:</P><P></P><P>access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0</P><P>nat (inside) 0 access-list NONAT</P><P></P><P>access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0</P><P></P><P>aaa-server LOCAL protocol local</P><P>aaa authentication secure-http-client</P><P></P><P>sysopt connection permit-ipsec</P><P></P><P>crypto ipsec transform-set TRANS esp-3des esp-md5-hmac</P><P>crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL</P><P>crypto dynamic-map outside_dyn_map 20 set transform-set TRANS</P><P>crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map</P><P>crypto map REMOTE client authentication LOCAL</P><P>crypto map REMOTE interface outside</P><P></P><P>isakmp enable outside</P><P>isakmp identity address</P><P>isakmp nat-traversal 20</P><P>isakmp policy 10 authentication pre-share</P><P>isakmp policy 10 encryption 3des</P><P>isakmp policy 10 hash md5</P><P>isakmp policy 10 group 2</P><P>isakmp policy 10 lifetime 86400</P><P></P><P>ip local pool VPNPool x.y.z.1-x.y.z.254</P><P>vpngroup VPNGroup address-pool VPNPool</P><P>vpngroup VPNGroup dns-server dns2 dns1</P><P>vpngroup VPNGroup default-domain localdomain</P><P>vpngroup VPNGroup idle-time 1800</P><P>vpngroup VPNGroup password grouppassword</P><P></P><P>username vpnclient password vpnclient-password </P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Fri, 06 May 2005 11:03:10 GMT Patrick Iseli 2005-05-06T11:03:10Z https://community.cisco.com/t5/network-security/a-strange-problem-pix-501/m-p/422256#M558590 <P>I connect with vpn client v 4.0.3f to the pix 501 v6.2, however I can access resources on the remote lan only after I initiate some kind of connection from the remote lan to the vpn client (a ping for example).Could the fact that I don't get any dhcp,dns or wins servers cause this problem?</P><P>(I've noticed that when I run ipconfig/all on the client pc I get only ip-sub-gateway, no dhcp,dns or wins servers are shown).The pix is not configured as dhcp server - I have an internal dhcp server</P> Fri, 21 Feb 2020 08:07:39 GMT https://community.cisco.com/t5/network-security/a-strange-problem-pix-501/m-p/422256#M558590 dagesh4 2020-02-21T08:07:39Z https://community.cisco.com/t5/network-security/a-strange-problem-pix-501/m-p/422257#M558599 <HTML><HEAD></HEAD><BODY><P>Seems like you have some routing problems.</P><P></P><P>The VPN Clients should use a separate Network Range that is diffrent from the inside network. As the netmask is choosen by the Class of network it is best to use a Class C network.</P><P></P><P>For example: 192.168.1.0 / 24 for the inside network</P><P>and 192.168.2.0 /24 for the VPN Pool. </P><P></P><P>Probably a few of this commands as "isakmp nat-traversal" will not work as this was added in the PIX OS 6.3.x code.</P><P></P><P>Config example:</P><P></P><P>access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0</P><P>nat (inside) 0 access-list NONAT</P><P></P><P>access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0</P><P></P><P>aaa-server LOCAL protocol local</P><P>aaa authentication secure-http-client</P><P></P><P>sysopt connection permit-ipsec</P><P></P><P>crypto ipsec transform-set TRANS esp-3des esp-md5-hmac</P><P>crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL</P><P>crypto dynamic-map outside_dyn_map 20 set transform-set TRANS</P><P>crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map</P><P>crypto map REMOTE client authentication LOCAL</P><P>crypto map REMOTE interface outside</P><P></P><P>isakmp enable outside</P><P>isakmp identity address</P><P>isakmp nat-traversal 20</P><P>isakmp policy 10 authentication pre-share</P><P>isakmp policy 10 encryption 3des</P><P>isakmp policy 10 hash md5</P><P>isakmp policy 10 group 2</P><P>isakmp policy 10 lifetime 86400</P><P></P><P>ip local pool VPNPool x.y.z.1-x.y.z.254</P><P>vpngroup VPNGroup address-pool VPNPool</P><P>vpngroup VPNGroup dns-server dns2 dns1</P><P>vpngroup VPNGroup default-domain localdomain</P><P>vpngroup VPNGroup idle-time 1800</P><P>vpngroup VPNGroup password grouppassword</P><P></P><P>username vpnclient password vpnclient-password </P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Fri, 06 May 2005 11:03:10 GMT https://community.cisco.com/t5/network-security/a-strange-problem-pix-501/m-p/422257#M558599 Patrick Iseli 2005-05-06T11:03:10Z