cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7725
Views
0
Helpful
45
Replies

Client connected to remote access VPN but got wrong default gateway

robert.huang
Level 1
Level 1

Hi All,

 

I have been struggling for some days and really need some help here. My PC (192.168.254.x) is on the same vlan with outside interface (192.168.254.171) of my PIX506E. When I launch the Cisco VPN client, my PC shows connected and gets the IP of 10.9.0.150 which is expected. However, it also gets the gateway of 10.9.0.1 which I have no idea where it comes from. Thus my PC can't access any internal  network or external network.

 

I've listed my configuration below and highlighted the part that I typed in. PIX version 7.1(2) is the highest version I can install on PIX506E. Please help. Thanks a lot.

 

pixfirewall# sh run
: Saved
:
PIX Version 7.1(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted

names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.254.171 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted

boot system flash:/pix712.bin
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip local pool ROBERT-POOL 10.9.0.150-10.9.0.160 mask 255.255.255.0
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Robert-GP internal
group-policy Robert-GP attributes
 dns-server value 8.8.8.8
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username robert password yXUoa8oHzS0Ncp2O encrypted
username robert attributes
 vpn-group-policy Robert-GP

aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto dynamic-map DYN1 1 set transform-set MYSET
crypto dynamic-map DYN1 1 set reverse-route
crypto map MYMAP 1 ipsec-isakmp dynamic DYN1
crypto map MYMAP interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal  30
tunnel-group ROBERT-GROUP type ipsec-ra
tunnel-group ROBERT-GROUP general-attributes
 address-pool ROBERT-POOL
 default-group-policy Robert-GP
tunnel-group ROBERT-GROUP ipsec-attributes
 pre-shared-key *

telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
ssl encryption rc4-md5
Cryptochecksum:7157c6095f2abae2aae9e15c1caa81aa
: end
pixfirewall#

45 Replies 45

Remove this line: 

no nat (outside) 1 10.9.0.0 255.255.255.0

Create an ACL.

access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any

nat (outside) 1 access-list outside-nat outside

 

Obviously your PIX outside is not connected to Internet (on private address) and so I assume that you have another device is natting upsteam before PIX.

 

Let me know, if this helps.

Thanks

Hi Rizwan,

Still doesn't work. Right now the VPN client 10.9.0.151 can't ping internal IP 10.10.10.10, it can't ping the default gateway 192.168.254.1 which is my Linksys router, it can't ping 8.8.8.8. Please see the attachment for show run.

My email is huanghu1968@hotmail.com. Please email me if you need to ssh into my router.

pixfirewall# sh run access-list
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
pixfirewall#
pixfirewall# sh run nat
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
nat (inside) 0 access-list nat0
pixfirewall#
pixfirewall# sh run global
global (outside) 1 interface
pixfirewall#

pixfirewall# sh route

S    0.0.0.0 0.0.0.0 [1/0] via 192.168.254.1, outside
S    10.9.0.151 255.255.255.255 [1/0] via 192.168.254.111, outside
C    10.10.10.0 255.255.255.0 is directly connected, inside
C    192.168.254.0 255.255.255.0 is directly connected, outside
pixfirewall#

pixfirewall# sh crypto ipsec sa
interface: outside
    Crypto map tag: DYN1, seq num: 1, local addr: 192.168.254.171

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.9.0.151/255.255.255.255/0/0)
      current_peer: 192.168.254.111, username: robert
      dynamic allocated peer ip: 10.9.0.151

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 149, #pkts decrypt: 149, #pkts verify: 149
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.254.171, remote crypto endpt.: 192.168.254.111

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 92483F0A

    inbound esp sas:
      spi: 0x61CE7883 (1640921219)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 2, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28365
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x92483F0A (2454208266)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 2, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28360
         IV size: 8 bytes
         replay detection support: Y

pixfirewall#

Hi Robert,

 

In order for your PIX firewall to be a VPN server just like the way you want it to function your pix firewall must be connected to Internet directly the reason for that is because your Linksys device will not forward traffic coming on protocol esp and ah to your PIX.

 

If your Linksys can forward traffic on protocol esp and ah then you have to set you PIX outside interface to be a dhcp client for your Linksys router and you might be able reserve an IP address off the Linksys for PIX.

 

Remove "no ip address 192.168.254.171 255.255.255.0" on your outside interface.


interface Ethernet0
 nameif outside
 security-level 0
 no ip address 192.168.254.171 255.255.255.0
 ip address dhcp setroute

 

You might want to address a second permit line on nat0-out as well.

access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0 
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0 

 

Hope this helps.

Thanks

 

 

 

OK. Iet's figure out how I can allow my VPN client (original IP: 192.168.254.111, vpn IP: 10.9.0.151) to ping the default GW 192.168.254.1 and 8.8.8.8 first. I tried everything you told me but couldn't get it work. Please help. There is no problem for my VPN IP to access the internal subnet 10.10.10.0/24.

pixfirewall# sh run access-list
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
pixfirewall#
pixfirewall# sh run nat
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
nat (inside) 0 access-list nat0
pixfirewall#
pixfirewall# sh run global
global (outside) 1 interface
pixfirewall# sh route

S    0.0.0.0 0.0.0.0 [1/0] via 192.168.254.1, outside
S    10.9.0.151 255.255.255.255 [1/0] via 192.168.254.111, outside
C    10.10.10.0 255.255.255.0 is directly connected, inside
C    192.168.254.0 255.255.255.0 is directly connected, outside
pixfirewall#

Remove this line.

no isakmp nat-traversal  30

 

interface Ethernet0
 nameif outside
 security-level 0
 no ip address 192.168.254.171 255.255.255.0
 ip address dhcp setroute

 

Add second entry to your PIX.

access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0 

access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0 

Just tried. Still not working. VPN 10.9.0.151 can't ping 10.10.10.10 or 192.168.254.1. FYI, the two access-list entried are already on the PIX.

pixfirewall# sh ip         
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                outside                192.168.254.171 255.255.255.0   DHCP 
Ethernet1                inside                 10.10.10.1      255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                outside                192.168.254.171 255.255.255.0   DHCP 
Ethernet1                inside                 10.10.10.1      255.255.255.0   manual
pixfirewall#
pixfirewall#
pixfirewall# sh run access-list
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
pixfirewall#
pixfirewall# sh run nat
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
nat (inside) 0 access-list nat0
pixfirewall#
pixfirewall# sh run global
global (outside) 1 interface
pixfirewall#
pixfirewall#
pixfirewall# sh run int e0
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp setroute
pixfirewall#
pixfirewall# sh int e0
Interface Ethernet0 "outside", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        MAC address 0017.9514.62b1, MTU 1500
        IP address 192.168.254.171, subnet mask 255.255.255.0
        602578 packets input, 83627580 bytes, 0 no buffer
        Received 595356 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        16972 packets output, 3822692 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/17)
        output queue (curr/max blocks): hardware (0/4) software (0/1)
  Traffic Statistics for "outside":
        625342 packets input, 70409495 bytes
        23792 packets output, 3375506 bytes
        586816 packets dropped
pixfirewall#
pixfirewall# sh route

S    0.0.0.0 0.0.0.0 [1/0] via 192.168.254.1, outside
S    10.9.0.151 255.255.255.255 [1/0] via 192.168.254.111, outside
C    10.10.10.0 255.255.255.0 is directly connected, inside
C    192.168.254.0 255.255.255.0 is directly connected, outside

pixfirewall# sh cryp ipsec sa
interface: outside
    Crypto map tag: DYN1, seq num: 1, local addr: 192.168.254.171

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.9.0.151/255.255.255.255/0/0)
      current_peer: 192.168.254.111, username: robert
      dynamic allocated peer ip: 10.9.0.151

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 163, #pkts decrypt: 163, #pkts verify: 163
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.254.171, remote crypto endpt.: 192.168.254.111

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: E36E5D9A

    inbound esp sas:
      spi: 0x5F8363E6 (1602446310)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 2, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28309
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xE36E5D9A (3815660954)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 2, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28305
         IV size: 8 bytes
         replay detection support: Y

pixfirewall#

Try this.

 

sorry keep this line and please add a static route on the Linksys router to push 10.9.0.0 255.255.255.0 to pix inside address.

 

Keep this line.

nat (outside) 0 access-list nat0-out

 

This should work.

thanks

 

 

I'd like to confirm with you for adding a static route on the Linksys router to push 10.9.0.0 255.255.255.0 to pix inside addres 10.10.10.1. Is it not to PIX outside interface 192.168.254.171.

I originally add a static route on the Linksys router (flashed with Tomato) to point 10.9.0.0/25 to PIX outside interface 192.168.254.171.

Anyway, it doesn't matter for inside or outside interface. None of them is working.

Below is the routing table on my linksys router when pointing 10.9.0.0/25 to PIX inside interface 10.10.10.1. You can see the static route is not showing up.

root@Robert:/tmp/home/root# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
173.230.174.65  0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
173.230.174.64  0.0.0.0         255.255.255.224 U     0      0        0 vlan2
10.10.10.0      192.168.254.171 255.255.255.0   UG    10     0        0 br0
10.8.0.0        192.168.254.170 255.255.255.0   UG    10     0        0 br0
192.168.254.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         173.230.174.65  0.0.0.0         UG    0      0        0 vlan2
root@Robert:/tmp/home/root#

Below is the routing table on my linksys router when pointing 10.9.0.0/25 to PIX outside interface 192.168.254.171.

root@Robert:/tmp/home/root# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
173.230.174.65  0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
173.230.174.64  0.0.0.0         255.255.255.224 U     0      0        0 vlan2
10.10.10.0      192.168.254.171 255.255.255.0   UG    10     0        0 br0
10.9.0.0        192.168.254.171 255.255.255.0   UG    10     0        0 br0
10.8.0.0        192.168.254.170 255.255.255.0   UG    10     0        0 br0
192.168.254.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         173.230.174.65  0.0.0.0         UG    0      0        0 vlan2
root@Robert:/tmp/home/root#

Sorry it was a typo, it should be pushing the route to PIX's outside interface.

I assume, PIX's outside interface connected to Linksys switch and PC you are using connected Linksys?

route 10.9.0.0 255.255.255.0 192.168.254.171

After adding the static route to PIX's outside.

try and let show crytop ipsec sa.

 

thanks

That static route which pointing to PIX outside has always been there. Please see my previous post. Unfortunately my VPN IP couldn't access Internal subnet(10.10.10.0/24), outside subnet(192.168.254.0/24) and Internet.

I attached the latest show run again.

Below is the show crypto ipsec sa when my client 10.9.0.151 trying to ping both 192.168.254.1 and 8.8.8.8.

pixfirewall# sh crypto ipsec sa
interface: outside
    Crypto map tag: DYN1, seq num: 1, local addr: 192.168.254.171

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.9.0.151/255.255.255.255/0/0)
      current_peer: 192.168.254.111, username: robert
      dynamic allocated peer ip: 10.9.0.151

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 66, #pkts decrypt: 66, #pkts verify: 66
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.254.171, remote crypto endpt.: 192.168.254.111

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: C0CBAADD

    inbound esp sas:
      spi: 0xC31B73C8 (3273356232)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 2, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28691
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xC0CBAADD (3234573021)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 2, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28689
         IV size: 8 bytes
         replay detection support: Y

pixfirewall#

Only reason I can think of, why remote-in vpn-client cannot access in the Internet is because there maybe missing dynamic on the Linksys device to public address.

- - - - - -- - - - - - - - - - - - - - -- - -- - 

 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
 #pkts decaps: 163, #pkts decrypt: 163, #pkts verify: 163

- - - - - -- - - - - - - - - - - - - - -- - -- - 

Second point.

According these two lines above, your PIX is decryption the traffic coming in from remote-in client, but there is no return traffic is coming back from PIX's gateway address and from inside address as well to remove-in client.

 

Lets add this permit line on your PIX along with a new ACL.

access-list outside-in extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0

access-group outside-in in interface outside

 

thanks

I just added the new ACL and it didn't help.

To eliminate Internet issue, let's focus on the PIX outside subnet 192.168.254.0/24. I have more than 20 hosts on this subnet. Once I vpn'ed in, I can't ping any host. That indicates I have no access to th outside network.

Once my vpn IP can ping the outside subnet, I believe it can ping the internet IP like 8.8.8.8 as well.

did you disconnect from the vpn session after adding the new ACL to outside interface and try it again ?

 

disconnect from vpn session and try again and if does not work apply this line.

 

same-security-traffic permit intra-interface

 

show crytop ipsec sa.

Please post this output.

thanks

 

 

Yes, I disconnect VPN session first every time before I try the new command.

Great progress! Once I added "same-security-traffic permit intra-interface", my VPN client can ping outside subnet 192.168.254.0/24 and any public IP. However, I cannot ping the inside IP 10.10.10.0/24.

pixfirewall# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                outside                192.168.254.171 255.255.255.0   DHCP 
Ethernet1                inside                 10.10.10.1      255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                outside                192.168.254.171 255.255.255.0   DHCP 
Ethernet1                inside                 10.10.10.1      255.255.255.0   manual
pixfirewall#
pixfirewall#
pixfirewall# sh run access-list
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
pixfirewall#
pixfirewall# sh run nat
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
nat (inside) 0 access-list nat0
pixfirewall#
pixfirewall# sh run global
global (outside) 1 interface
pixfirewall#
pixfirewall# sh run access-group
access-group outside-in in interface outside
pixfirewall#

 

pixfirewall# sh run
: Saved
:
PIX Version 7.1(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix712.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip local pool ROBERT-POOL 10.9.0.150-10.9.0.160 mask 255.255.255.0
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
nat (inside) 0 access-list nat0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Robert-GP internal
group-policy Robert-GP attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username robert password yXUoa8oHzS0Ncp2O encrypted
username robert attributes
 vpn-group-policy Robert-GP
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto dynamic-map DYN1 1 set transform-set MYSET
crypto map MYMAP 1 ipsec-isakmp dynamic DYN1
crypto map MYMAP interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
tunnel-group ROBERT-GROUP type ipsec-ra
tunnel-group ROBERT-GROUP general-attributes
 address-pool ROBERT-POOL
 default-group-policy Robert-GP
tunnel-group ROBERT-GROUP ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
  inspect icmp
!
service-policy global_policy global
ssl encryption rc4-md5
Cryptochecksum:7351e447f85b5948361b649183a9c53d
: end
pixfirewall#

Try this line.

same-security-traffic permit inter-interface

 

Check inside host's the default gateway is point back to inside ip address of PIX.