https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153646#M861161 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for the rating. Sorry I'm not sure about the downloadable ACL. However I did see this after a quick search</P><P></P><P><A class="jive-link-custom" href="http://supportwiki.cisco.com/ViewWiki/index.php/Downloadable_ACLs_configured_on_the_Cisco_Secure_ACS_version_4.0_for_Windows_are_unable_to_restrict_access_for_Cisco_VPN_Clients_that_terminate_on_the_PIX_Firewall" target="_blank">http://supportwiki.cisco.com/ViewWiki/index.php/Downloadable_ACLs_configured_on_the_Cisco_Secure_ACS_version_4.0_for_Windows_are_unable_to_restrict_access_for_Cisco_VPN_Clients_that_terminate_on_the_PIX_Firewall</A></P><P></P><P>You will probably get more responses if you post this as a new question (as this thread is marked solved).</P><P></P><P></P><P>Regards</P></BODY></HTML> Thu, 09 Apr 2009 06:45:33 GMT JamesLuther 2009-04-09T06:45:33Z https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153641#M861146 <P>My internal networks are 192.168.2.0/24 and 192.168.4.0/24 and are behind a 2811 router. Between 2811 and PIX I use network 10.10.10.8/30. Now I want to use some 192.168.5.0 addresses for a remote access pool, defined on the PIX. When I connect with Cisco VNP client (192.168.5.1) the tunnel comes up but I'm not able to access my internal network. Does anyone know what's wrong?</P> Mon, 11 Mar 2019 15:15:10 GMT https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153641#M861146 pverstegen 2019-03-11T15:15:10Z https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153642#M861147 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Maybe a bit obvious, but do you have a route for the 192.168.5.0/24 network on the 2811 router pointing towards the PIX or is this covered by a default route?</P><P></P><P>If you post your config of the PIX and 2811 then it may help.</P><P></P><P></P><P>regards</P></BODY></HTML> Mon, 06 Apr 2009 07:31:48 GMT https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153642#M861147 JamesLuther 2009-04-06T07:31:48Z https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153643#M861149 <HTML><HEAD></HEAD><BODY><P>Hi James,</P><P></P><P>I think this is covered by the default route.</P><P></P><P>Please find attached my configs.</P><P></P><P>Best regards,</P><P>Peter</P><P></P><P> </P><P></P></BODY></HTML> Mon, 06 Apr 2009 08:16:44 GMT https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153643#M861149 pverstegen 2009-04-06T08:16:44Z https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153644#M861153 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Perhaps it is to do with NAT? Try adding the following on the PIX</P><P></P><P>isakmp nat-traversal</P><P></P><P>Is this a new client VPN setup or is it a change to an existing setup? Have you tried running some debug or packet capture on the PIX to see what is happening? Are the packets arriving at the PIX in the first place?</P><P></P><P></P><P></P><P>Regards</P></BODY></HTML> Mon, 06 Apr 2009 09:14:19 GMT https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153644#M861153 JamesLuther 2009-04-06T09:14:19Z https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153645#M861157 <HTML><HEAD></HEAD><BODY><P>Hi, seems that command did the trick. Thanks...</P><P>I'm now able to get into the network and reach all machines. The only challenge</P><P>there is right now is to get my incoming ACS downloadable ACL working. Maybe you are experienced with this combination: PIX605E 6.3(5) - ACS 4.1(1) Build 23 Patch 5. This is my list:</P><P>permit ip host 192.168.4.200 any</P><P>deny ip any any</P><P>I'm still able to ping other machines in subnet 4 from source address 192.168.5.1</P><P>Do you have an idea?</P><P>Regards, Peter</P></BODY></HTML> Wed, 08 Apr 2009 17:44:20 GMT https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153645#M861157 pverstegen 2009-04-08T17:44:20Z https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153646#M861161 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for the rating. Sorry I'm not sure about the downloadable ACL. However I did see this after a quick search</P><P></P><P><A class="jive-link-custom" href="http://supportwiki.cisco.com/ViewWiki/index.php/Downloadable_ACLs_configured_on_the_Cisco_Secure_ACS_version_4.0_for_Windows_are_unable_to_restrict_access_for_Cisco_VPN_Clients_that_terminate_on_the_PIX_Firewall" target="_blank">http://supportwiki.cisco.com/ViewWiki/index.php/Downloadable_ACLs_configured_on_the_Cisco_Secure_ACS_version_4.0_for_Windows_are_unable_to_restrict_access_for_Cisco_VPN_Clients_that_terminate_on_the_PIX_Firewall</A></P><P></P><P>You will probably get more responses if you post this as a new question (as this thread is marked solved).</P><P></P><P></P><P>Regards</P></BODY></HTML> Thu, 09 Apr 2009 06:45:33 GMT https://community.cisco.com/t5/network-security/routing-local-addresspool-for-ipsec-issue-on-pix506e/m-p/1153646#M861161 JamesLuther 2009-04-09T06:45:33Z