Hi Jennifer,

thanks for your reply. i've tried what you said with more than one nating method and also i tried NAT exemption as you told me above but unfortunately i'm not able to connect to my intenal resources.below you'll find my running-config to take a look at it. so kindly read it and let me know please if you have any solution. thanks again.

Building configuration...

: Saved

:

PIX Version 6.2(4)

nameif ethernet0 inside security100

nameif ethernet1 outside security0

names

name 10.0.0.0 Internal_Network

name 192.168.1.0 VPN_Clients

name 0.0.0.0 any_net

name 10.0.0.x DVR

access-list inside_access_in permit ip any host x.x.x.x

access-list outside_access_in permit ip Internal_Network 255.255.255.0 any

access-list lenda_vpn_splitTunnelAcl permit ip Internal_Network 255.255.255.0 any

access-list splitTunnelAcl permit ip Internal_Network 255.255.255.0 any

access-list nonat permit ip Internal_Network 255.255.255.0 VPN_Clients 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any VPN_Clients 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

ip address inside x.x.x.x x.x.x.x

ip address outside x.x.x.x x.x.x.x

ip audit info action alarm

ip audit attack action alarm

ip local pool Cisco_VPN_192 192.168.1.1-192.168.1.50

ip local pool PPTP_51_100 192.168.1.51-192.168.1.100

ip local pool L2TP_101_150 192.168.1.101-192.168.1.150

pdm location any_net 255.255.255.255 outside

pdm location any_net 255.255.255.255 inside

pdm location VPN_Clients 255.255.255.0 outside

pdm location DVR 255.255.255.255 inside

pdm location VPN_Clients 255.255.255.128 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 Internal_Network 255.255.255.0 dns 0 0

static (inside,outside) 207.x.x.x DVR netmask 255.255.255.255 0 0

access-group outside_access_in in interface inside

access-group inside_access_in in interface outside

route outside any_net any_net 207.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

no sysopt route dnat

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable inside

isakmp enable outside

isakmp key ******** address any_net netmask any_net

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup mycompanyaddress-pool Cisco_VPN_192

vpngroup mycompanydns-server 207.x.x.x 207.x.x.x

vpngroup mycompanysplit-tunnel ezmobile_splitTunnelAcl

vpngroup mycompanyidle-time 1800

vpngroup mycompanypassword ********

vpngroup lenda_vpn address-pool Cisco_VPN_192

vpngroup lenda_vpn dns-server 207.x.x.x 207.x.x.x

vpngroup lenda_vpn split-tunnel lenda_vpn_splitTunnelAcl

vpngroup lenda_vpn idle-time 1800

vpngroup lenda_vpn password ********

vpdn group L2TP_VPN accept dialin l2tp

vpdn group L2TP_VPN ppp authentication chap

vpdn group L2TP_VPN ppp authentication mschap

vpdn group L2TP_VPN client configuration address local L2TP_101_150

vpdn group L2TP_VPN client configuration dns 207.172.x.x 207.172.x.x

vpdn group L2TP_VPN client authentication local

vpdn group L2TP_VPN l2tp tunnel hello 60

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local PPTP_51_100

vpdn group PPTP-VPDN-GROUP client configuration dns 207.172.x.x 207.172.x.x

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username **** password *********

vpdn username **** password *********

vpdn username **** password *********

vpdn enable inside

vpdn enable outside

: end

[OK]

Pls kindly remove the following:

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

Also, is your VPN connection passing through any NAT device? if it is, then ESP as part of the IPSec protocols can't pass through NAT device normally, and only from version 6.3 onwards you can enable NAT-T which encapsulate ESP into UDP/4500.

Hi Jennifer,

actually i've tried yesterday the vpn connection with cisco client vpn software and i was able successfully

to reach my internal resources. but when i try microsoft vpn connection from windows pc it does connect successfully but i can't reach the internal resources. actually i need both types of vpn connections because not all clients will use cisco vpn software.

thanks and i look forward to your reply.

Labib

Microsoft client should also be able to reach your internal resources, if you are able to connect with cisco vpn client.