Showing results for 
Search instead for 
Did you mean: 

VPN site-to-site and remote clients (Crypto Map)

I have remote vpn clients that can connect with my PIX 515. Works Great!

I need to create a site to site VPN between my Pix and a Linksys.

When I created the tunnel between the sites ,the remote site could access the files, drawing and Database on my net that they needed.

BUT my remote vpn clients could not get in.

I shut down the site to site and reloaded the pix and restored the prev config.

BTW the following config is not the config I tested when the Remote VPN's

could not connect.

I would like to be able to have both site-to-site vpn and remote vpn clients

on the same interface of the Pix running simultaeously.

MY Questions are...

What does this statement from the Output Interpreter mean?

WARNING: (VPN) There are 'crypto map {map_name} {seq_num} match

address' access-lists defined that are not covered by 'nat 0' access-list '101':

TRY THIS: Ensure that NAT is disabled for IPsec traffic, as

defined by crypto map access-lists.

How do I correct it?


Does the following crypto map appear to be correct for what I would like to


Following is the pertinent parts of the config that I sent through the Output Interpreter:

PIX Version 6.1(1)



Content edited



access-list 101 permit ip any 192. X. X .0

access-list 101 permit ip 10. X. X .0 38.X.X.0


nat (inside) 0 access-list 101

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set des-set esp-des esp-md5-hmac

crypto dynamic-map ciscoclient 4 set transform-set des-set

crypto map staticmap 20 ipsec-isakmp dynamic ciscoclient

crypto map staticmap 15 ipsec-isakmp

crypto map staticmap 15 match address 101

crypto map staticmap 15 set peer 12 . X . X . X (same address as below)

crypto map staticmap 15 set transform-set des-set

crypto map staticmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

isakmp key *******address 12.X.X.X netmask

isakmp policy 100 authentication pre-share

isakmp policy 100 encryption des

isakmp policy 100 hash md5

isakmp policy 100 group 2

isakmp policy 100 lifetime 5000

I am running this config through the Output Interpreter to glean as many errors as I can before putting it on the production Firewall.

One other Item... I changed the second line in ACL 101 to 102 and

then changed the ACL that the crypto map refers to 102 and got pretty much the same Warning.





Sounds like the config you applied somehow stopped the NAT (0) for your VPN clients ip range working.

I've had PIX to Cisco VPN client working at same time as a VPN to an IOS router. Are you using the Cisco 3.x or 4.x client?

Content for Community-Ad