Showing results for 
Search instead for 
Did you mean: 

ADSL SOHO VPN Client behind PIX to Office VPN PIX 515 (vice versa) Problem

Hi there,

I'm using a latest Cisco VPN Client (behind a PIX 501) trying to connect to remote office using PIX 515. I'm unable to get outside connection even though

access-list pix_out permit udp host any eq isakmp

Because we're unrelated company and I'm only a client, both PIX is not configured as Site-to-Site VPN.

Is there any other command on myside I need to use in order to connect to the PIX VPN site?

Thanks in advance.

ADSL SOHO - One External Static IP


Inside address


Outside address

Inside address

ADSL ModemRouter

Outside address


Outside address

Cisco RTR

Inside address

Outside address

PIX 515

Inside address

IP addresses used are for example only......

Frequent Contributor

Your issue may due to nat/pat failure of the ipsec vpn session originating on the client. Ask the partner network if their pix 515 can accept ipsec via NAT-T which will use udp port 4500 as well as port 500. If not, then you will need to do a static nat xlate for your client - which may not be possible due to how many public/routable addresses were assigned to you. Using nat-t is the better option - the pix command is iksamp nat-traversal.

On your side, all you need to do is to reconfig the client to use nat traversal (aka nat-t using udp). Then on your pix allow the client to connect to the remote end dest. port 4500 (as well as dest port 500). You can continue to use nat/pat for your client as the ike negotiation will determine that there is a nat/pat device between the two ipsec vpn peers.

Let me know how it proceeds from here.

Hi there,

Thanks for your reply. There's good news and bads news.

I can connect using vpn client from myside to PIX 515. Good news!

However, when I connect to my end PIX 501 via VPN client it says Secure VPN Connection terminated locally by the client. Reason 412.

I'm using a Laptop with modem dial-up and no Firewall.

Is there anything is should look out for?



Hi Fred:

I guess you should ask the company to enable the split-tunneling on the VPN concentrator.

Hi, the PIX 501 is my home use and this is my config:

access-list inside_outbound_nat0_acl permit ip any

access-list outside_cryptomap_dyn_20 permit ip any



nat (inside) 0 access-list inside_outbound_nat0_acl



sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup Dmouth address-pool bromley

vpngroup Dmouth dns-server Briscoe

vpngroup Dmouth default-domain Test.COM

vpngroup Dmouth idle-time 1800

vpngroup Tenfore-VPN split-tunnel inside_outbound_nat0_acl

vpngroup Dmouth password ***********

Is this config ok?


Your config looks good, been busy with the PDM eh! :)

Just one thing, I presume you've not included the ras pool command on your post?

> ip local pool raspool


Yes, thats included on my config.

ip local pool raspool

What else I might be doing wrong?

Thanks for you reply.

Content for Community-Ad