Showing results for 
Search instead for 
Did you mean: 

Remote Access VPN on PIX506E

I have a simple Remote Access VPN setup on a PIX506E.Cisco Secure VPN Client can establish an IPSec tunnel VPN tunnel on the outside interface of the PIX and obtain IP Address from the vpn address pool.

The Remote VPN client is unable to access any resources on the inside nor

outside network. ie cannot ping, www,telnet or ftp etc to any hosts on the

inside network. This appears to be a static route issue or access control

list problem. Could anyone shed any light ?

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxx

hostname pixfirewall


clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


access-list outside_access_in permit ip host 195.x.x.100 host

access-list outside_access_in permit ip host

access-list outside_access_in permit ip host

access-list outside_access_in permit ip host any

access-list outside_access_in permit tcp any host eq https

access-list outside_access_in permit tcp any host eq www

access-list outside_access_in permit ip any

pager lines 24

logging timestamp

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 202.x.x.x.x.255.248

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool xxxxvpnpool

pdm history enable

arp timeout 14400

global (outside) 1

nat (inside) 1 0 0

nat (inside) 1 0 0

nat (inside) 1 0 0

static (inside,outside) 202.x.x.x.0.0.101 netmask 0 0

access-group outside_access_in in interface outside

route outside 1

route outside 80.177.x.x.x.x.0 1

route outside 194.23.x.x.x.255.0 1

route outside 195.38.xx.x.x.255 1

route outside 199.0.0.x.x.x.x.44.187.5 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225


timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp server source outside prefer

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup abcsvpn address-pool xxxxvpnpool

vpngroup abcsvpn dns-server

vpngroup abcsvpn default-domain

vpngroup abcsvpn idle-time 1800

vpngroup abcsvpn password xxxxx

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns 202.44.x.x.x.170.22

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside



You need to put an access-list.

access-list 101 permit ip (inside IP address range) (Ip local pool).

Similarly do a nonat for this access-list

e.g nat (inside) 0 access-list 101



Recognize Your Peers
Content for Community-Ad