Steve,

Thanks for the reply, but I thought of what you suggested but it don't work!

Let me try to clarify my problem:

I have a Cisco vpn client on my PC. My PC is connected to my private LAN with say PC ip 10.0.9.10 /24 and default gateway to the inside interface of the pix, say, 10.0.9.11 /24.

I connect to the internet via ADSL with no problems, now when I run the vpn client from my PC to connect to a remote pix, it connects fine and if I issue ipconfig /all on my PC, I can see that the remote pix has issued the vpn client the ip address from it's ip pool for the vpn client and also see my own assigned ip address and default gateway ip address (10.0.9.10/24 and 10.0.9.11/24).

The problem I'm encountering is that I can not ping anything on the other side of the vpn client ip pool address. For instance, if the remote pix issues an ip address from its local ip pool, say, 192.168.1.1 - I can not ping anything on the remote LAN side but the vpn client has connected and authenticated fine with the remote pix!

So, my question is where am I going wrong and can this be achieved?

Any help/assitance on this will be very much appreciated.

Thanks.

If you can connect to the remote PIX when not connected to your home LAN, the problem is there. If the problem exists with all incoming VPN connections then the problem is with remote PIX. If you can get internet access without going through your local PIX, test the VPN connection. If it works there you have a local problem.

If you are behind a firewall in the first case, that may be the problem. It could also be the setup of the VPN Client on the PC or the actual PC. Try to connect a VPN Client to the remote PIX through some other way to test your whole situation.

Cheers,

Steve

Steve,

If I disconnect from my LAN and use modem dial-up with the vpn client it works fine. But as I said before, I would like to use the vpn client to connect to remote Lan's from my Lan.

I setup debug on my Lan pix and when I ran the vpn client from my iside LAN the follwing was issued by my pix:

305006: portmap translation creation failed for protocol 50 src inside:x.x.x.x dst outside:x.x.x.x

My setup as follows:

MyPC (with vpn client) <---> switch <---> pix <--> internet <--> remote_pix <--> switch <--> remote_LAN

Can anyone please help me out on this or give some solution/workaround.

Thank you very much.

The following suggestion is from another question in the VPN Security forum. Listed as VPN access to another network. The answer is from someone called Trevor Stanley. Looks good to me and it makes sense too. Your local PIX gives you internet access, so try to give your specific inside address a specific NATTED outside address.

To VPN through a pix from the LAN. The PC will require a Static Public address on the pix at your end. Then allow ESP back to this public address e.g

access-list outside-in permit esp any host aaa.bbb.ccc.1.

static (inside,outside) aaa.bbb.ccc.1 10.0.9.10

Cheers,

Steve.

Steve,

Tried your suggestion BUT that didn't work! It actually stoped the vpn client from authenticating.

So took your suggestion off and back to were I was before.

All I want to do is to be able to use the vpn client to connect to a remote pix when I'm on my LAN - which it does BUT I can not ping anything on the remote side via the vpn client connection BUT if I drop my LAN and dial-up on my modem, I can connect to the remote pix and also ping any address on the remote side.

CAN ANY ONE ELSE PLEASE HELP ME OUT ON THIS AS THIS IS VERY IMPORTANT.

Many thanks in advance.

As your client traffic is being NAT'd by your own PIX, IPSec doesn't work unless the remote PIX supports NAT-T.

Make sure NAT traversal is turned on in the remote PIX:

isakmp nat-traversal 30

Hope this helps.