client vpn Cisco pix 501

I wonder and wonder, is it possible for a branch (2 vpn clients) to connect to the central location (cisco 501 pix) at the same time via the vpn client with a public address on each side. If this is not the case, what will be the way to make it work without additional equipment (another pix of cisco).

Yes you can, you should check your os 6.3 a pix and you enable nat-transapency: -.

ISAKMP nat-traversal 20

Tags: Cisco Security

Similar Questions

Several sessions the client VPN Cisco PIX (v.7.2)

When we are connect to the PIX from our local supplier (all sessions have an address using a NAT) all sessions are connected, but first of all runs successfully, others are connected only but for example without routing.

Thanks for the help in advance.

J.

It looks like NAT traversal issue

You can try to order

Crypto isakmp nat-traversal 20

on pix

M.

Hope that helps the rate if it isn't

Cisco PIX 501 to Cisco 3005 concentrator via remote access

Hello people,

I need your help.

We got a Cisco PIX 501 in one place and this pix is configured for pppoe connection. The pix connects to internet via the pppoe client. an official ip address ping works well.

So what I want to do is to establish a tunnel von between this pix and a cisco 3005 concentrator.

But I failed to establish it.

Here are the pix config. the acl? s are only for the test and will be replaced if it works.

6.3 (4) version PIX

interface ethernet0 10baset

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the password xxx

passwd xxx

hostname PIX - to THE

domain araukraine.ua

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

outside ip access list allow a whole

inside_access_in ip access list allow a whole

pager lines 24

opening of session

Monitor logging warnings

logging warnings put in buffered memory

MTU outside 1456

MTU inside 1456

IP address outside pppoe setroute

IP address inside 192.168.x.x 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

PDM location 192.168.x.x 255.255.255.224 inside

forest warnings of PDM 500

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

outside access-group in external interface

inside_access_in access to the interface inside group

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

the ssh LOCAL console AAA authentication

Enable http server

255.255.x.x 192.168.x.x http inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

255.255.x.x telnet inside 192.168.x.x

Telnet timeout 5

SSH 194.39.97.0 255.255.255.0 outside

SSH timeout 5

management-access inside

Console timeout 0

VPDN group pppoe_group request dialout pppoe

VPDN group pppoe_group localname [email protected] / * /

VPDN group ppp authentication pap pppoe_group

VPDN username [email protected] / * / password *.

encrypted privilege 15

vpnclient Server 212.xx.xx.xx

vpnclient mode network-extension-mode

vpntest vpngroup vpnclient password *.

vpnclient username pixtest password *.

Terminal width 80

the hub, I created a user pixtest, a group vpntest and I? ve created the rules of the network for example to what server, users behind the pix will be able to access.

And that? s all.

I couldn't send you exit pix or hub because I don't have an error or a message that the tunnel will be established.

What can be wrong?

Thanks for the replies

This configuration example shows how to create an IPsec tunnel to a computer that is running the Client VPN Cisco's (4.x and later versions) to a Cisco VPN concentrator 3000 to allow the user to safely access the network inside the VPN concentrator.

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml

Connectivity random Cisco Pix 501

Hello. I'm having some trouble with my CISCO PIX 501 Setup.

A few months I started having random disconnects on my network (from inside to outside). The machines can ping the DC or the Pix, but impossible to surf the internet. The only way to make them go outside is a reboot of Pix.

My configuration is:

-----------

See the ACE - pix config (config) #.
: Saved
: Written by enable_15 at 09:23:07.033 UTC Tuesday, June 3, 2014
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate 8Ry34retyt7RR564 encrypted password
2fvbbfgdI.2KUOU encrypted passwd
hostname as pix
domain as.local
fixup protocol dns-length maximum 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list acl_out permit icmp any one
ip access list acl_out permit a whole
access-list acl_out permit tcp any one
Allow Access-list outside_access_in esp a whole
outside_access_in list access permit udp any eq isakmp everything
outside_access_in list of access permit udp any eq 1701 all
outside_access_in list of access permit udp any eq 4500 all
outside_access_in ip access list allow a whole
pager lines 24
Outside 1500 MTU
Within 1500 MTU
outside 10.10.10.2 IP address 255.255.255.0
IP address inside 192.168.100.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
history of PDM activate
ARP timeout 14400
Global 1 10.10.10.8 - 10.10.10.254 (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group outside_access_in in interface outside
access to the interface inside group acl_out
Route outside 0.0.0.0 0.0.0.0 10.10.10.1 0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.10.2 255.255.255.255 inside
http 192.168.10.101 255.255.255.255 inside
http 192.168.100.2 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
ISAKMP nat-traversal 20
Telnet timeout 5
SSH 192.168.10.101 255.255.255.255 inside
SSH timeout 60
Console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
Terminal width 80
Cryptochecksum:7f9bda5e534eaeb1328ab08a3c4d28a
------------

Do you have any advice? I don't get what's wrong with my setup.

My DC is 192.168.100.2 and the network mask is 255.255.255.0

The network configuration is configured to set the IP of the gateway to 192.168.100.1 (i.e. the PIX 501).

I have about 50 + peers on the internal network.

Any help is apprecciate.

Hello

You have a license for 50 users +?

After the release of - Show version

RES

Paul

Client VPN Cisco router Cisco, MSW CA + certificates

Dear Sirs,
Let me approach you on the following problem.

I wanted to use a secure between the Cisco VPN client connection
(Windows XP) and Cisco 2821 with certificate-based authentication.
I used the Microsoft certification authority (Windows 2003 server).
Cisco VPN client used eTokenPRO Aladdin as a certificate store.

Certificate of MSW CA registration and implementation in eToken ran OK
Customer VPN Cisco doesn't have a problem with the cooperation of eToken.
Certificate of registration of Cisco2821 MSW ca ran okay too.

Cisco 2821 configuration is standard. IOS version 12.4 (6).

Attempt to connect to the client VPN Cisco on Cisco 2821 was
last update of the error messages:

ISAKMP: (1020): cannot get router cert or routerdoes do not have a cert: had to find DN!
ISAKMP: (1020): ITS been RSA signature authentication more XAUTH using id ID_FQDN type
ISAKMP (1020): payload ID
next payload: 6
type: 2
FULL domain name: cisco - ca.firm.com
Protocol: 17
Port: 500
Length: 25
ISAKMP: (1020): the total payload length: 25
ISAKMP (1020): no cert string to send to peers
ISAKMP (1020): peer not specified not issuing and none found appropriate profile
ISAKMP (1020): Action of WSF returned the error: 2
ISAKMP: (1020): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1020): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

Is there some refence where is possible to find some information on
This problem? There is someone who knows how to understand these mistakes?
Thank you very much for your help.

Best regards
P.Sonenberk

PS Some useful information for people who are interested in the above problem.

Address IP of Cisco 2821 10.1.1.220, client VPN IP address is 10.1.1.133.
MSW's IP 10.1.1.50.
Important parts of the Cisco 2821 configuration:

!
cisco-ca hostname
!
................
AAA new-model
!
AAA authentication login default local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization sdm_vpn_group_ml_1 LAN
!
...............
IP domain name firm.com
host IP company-cu 10.1.1.50
host to IP cisco-vpn1 10.1.1.133
name of the IP-server 10.1.1.33
!
Authenticated MultiLink bundle-name Panel
!
Crypto pki trustpoint TP-self-signed-4097309259
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 4097309259
revocation checking no
rsakeypair TP-self-signed-4097309259
!
Crypto pki trustpoint company-cu
registration mode ra
Enrollment url http://10.1.1.50:80/certsrv/mscep/mscep.dll
use of ike
Serial number no
IP address no
password 7 005C31272503535729701A1B5E40523647
revocation checking no
!
TP-self-signed-4097309259 crypto pki certificate chain
certificate self-signed 01
30820249 308201B 2 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
.............
FEDDCCEA 8FD14836 24CDD736 34
quit smoking
company-cu pki encryption certificate chain
certificate 1150A66F000100000013
30820509 308203F1 A0030201 02020 HAS 11 092A 8648 01000000 13300 06 50A66F00
...............
9E417C44 2062BFD5 F4FB9C0B AA
quit smoking
certificate ca 51BAC7C822D1F6A3469D1ADC32D0EB8C
30820489 30820371 A0030201 BAC7C822 02021051 D1F6A346 9D1ADC32 D0EB8C30
...............
C379F382 36E0A54E 0A6278A7 46
quit smoking
!
...................
crypto ISAKMP policy 30
BA 3des
md5 hash
authentication rsa-BA
Group 2
ISAKMP crypto identity hostname
!
Configuration group customer isakmp crypto Group159
key Key159Key
pool SDM_POOL_1
ACL 100
!
the crypto isakmp client configuration group them
domain firm.com
pool SDM_POOL_1
ACL 100
!
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DES-MD5
!
crypto dynamic-map SDM_DYNMAP_1 1
the transform-set 3DES-MD5 value
market arriere-route
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
................
!
end

status company-cu of Cisco-ca #show cryptographic pki trustpoints
Trustpoint company-cu:
Issuing CA certificate configured:
Name of the object:
CN = firm-cu, dc = company, dc = local
Fingerprint MD5: 5026582F 8CF455F8 56151047 2FFAC0D6
Fingerprint SHA1: 47B 74974 7C85EA48 760516DE AAC84C5D 4427E829
Universal router configured certificate:
Name of the object:
host name = cisco - ca.firm.com
Fingerprint MD5: E78702ED 47D5D36F B732CC4C BA97A4ED
Fingerprint SHA1: 78DEAE7E ACC12F15 1DFB4EB8 7FC DC6F3B7E 00138
State:
Generated keys... Yes (general purpose, not exportable)
Authenticated issuing certification authority... Yes
Request certificate (s)... Yes

Cisco-ca #sh crypto pubkey-door-key rsa
Code: M - configured manually, C - excerpt from certificate

Name of code use IP-address/VRF Keyring
C Signature name of X.500 DN default:
CN = firm-cu
DC = company
DC = local

C signature by default cisco-vpn1

IMPORTANT: I don't have a Cisco IOS Software: 12.4 (5), 12.3 (11) T08, 12.4 (4.7) PI03c,.
12.4 (4.7) T - there is error in the cryptographic module.

Hey guys, it's weird that the router is not find cert after IKE is the cert and validates, it is certainly not reason, but I would go ahead and set up the mapping of certificate on this router to force the client to associate with Group of IKE, for that matter, that you need to change your config a bit for use iskamp profiles :

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t8/feature/guide/gt_isakp.html

Number of VPN clients behind a PIX 501, restriction?

Is there a restriction in the number of VPN clients can be behind a PIX 501. Is is just limited by the number of hosts (10, 50, Unlimited)?

Hello

Behind a PIX VPN clients. Will you use NAT - T (must). It will be limited only to the number of users (normal users) through the PIX. So if you have a license to use 10 or 50 then the VPN connection is counted in this list.

Connection VPN Client through PIX is not IKE tunnel. They are normal UDP500 and UDP4500 peers.

Vikas

Customer Cisco PIX 501 VPN connects but no connection to the local network

Hi all:

I am able to make a VPN connection to a PIX 501. The remote client is assigned an IP (192.168.2.1) also, but not able to access all the machines in the local network connected to the PIX.

I have attached the PIX configuration.

Advice will be greatly appreciated.

********************

6.3 (5) PIX version

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable password xxxx

passwd xxxxx

pixfirewall hostname

domain ciscopix.com

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP address outside dhcp setroute

IP address inside 192.168.1.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool ippool 192.168.2.1 - 192.168.2.5

location of PDM 192.168.2.0 255.255.255.0 outside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) - 0 102 access list

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

Crypto-map dynamic dynmap 10 transform-set RIGHT

map mymap 10-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

ISAKMP allows outside

ISAKMP identity address

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

vpngroup vpn3000 ippool address pool

vpngroup vpn3000 Server dns 68.87.72.130

vpngroup vpn3000-wins 192.168.1.100 Server

vpngroup vpn3000 split tunnel 101

vpngroup vpn3000 downtime 1800

password vpngroup vpn3000 *.

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd address 192.168.1.2 - 192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd outside auto_config

dhcpd allow inside

Terminal width 80

Cryptochecksum:xxxx

****************

The DNS server is the one assigned to me by my ISP.

My internal network connected to the PIX is 192.168.1.1 - 192.168.1.33 and the VPN ip pool is 192.168.2.1 - 192.168.2.5

"isakmp nat-traversal 20" can do the trick.

Client Vpn Cisco vpn remote site inaccessible (one site to another)

Hello

I configured two vpn with pix 515 cisco connection. One using a cisco vpn client and another another site to site vpn connectin with other pix.

I have my local network with 192.168.149.0 network, vpn clinet pool with 192.168.17.0 network and a remote site with 192.168.145.0.

Client vpn local network accessible and always remote site, but 192.168.17.0 (vpn client) 192.168.145.0 not accessible (remote site).

Plese help me!

Thank you

This scenario is possible with no v6.x, v7.x

the link below is an example of configuration:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Information on the routing of traffic of the client VPN to PIX.

Hey all,.

I could follow the VPN Wizard included in the PDM and able to connect with the VPN Clients for the PIX. But I'm looking for more information about how the routing is done.

For example, my remote is 67.71.252.xxx and my inside is 192.168.1.xxx. But if I connect via VPN to PIX Client, all data is transferred through my VPN to PIX and then trying to get out to the Internet.

I'll settle for data goes 192.168.1.xxx for transit through the VPN. This configuration made via the PIX or is it the responsibility of the Client machine to set up rules of the road?

All links to the guides to installation, or technical notes would be great.

Thank you inadvance.

Paul

Hello

I think the key word you are looking for is "split tunneling". This can be validated on the PIX using the vpngroup split access_list tunnel GroupName command.

"Split tunneling allows a remote VPN client or encrypted simultaneous Easy VPN remote access device to the corporate network and Internet access. Using the vpngroup split-tunnel command, specify the access list name with which to associate the split tunneling of traffic. "

In this example configuration: http://www.cisco.com/warp/public/110/pix3000.html, note that the same access list is used to "nat 0" and split-mining:

access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

(Inside) NAT 0-list of access 101

vpngroup vpn3000 split tunnel 101

Order reference:

http://www.Cisco.com/en/us/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ae.html#wp1099471

Please let us know if this helped

Kind regards

Mustafa

VPN with PIX 501

Help!

I'm trying to set up VPN on my PIX 501. I have no experience of the PIX and have no idea where to start!

Any help will be greatly appreciated.

Thank you

Bennie

access list allow accord a

where is the name of the access list that you applied the entrants to your external interface. You may also allow accord coming out, if you have a list of incoming configured access to your inside interface.

What clients VPN Cisco 2811 supports?

Is the solution of VPN Cisco 2811 locked customers cisco or that market with other brands too?

Best regards Tommy Svensson

Hello

With the correct IOS feature set, it will support IPsec VPN clients. This includes not only the Cisco VPN client but almost any standard IPsec client.

In addition, if on the 2811 can accept any browser SSL VPN connections, or even use the AnyConnect SSL client.

It will be useful.

Federico.

QoS is supported on the Cisco PIX 501 or 506th?

Hello

There is no mention of QoS in technical for the PIX 501 and 506 records but nothing for the 515. PIX OS 7.x configuration guides do not mention specific material support.

Does anyone know if QoS is taken care of in the 501 or 506th - I need support lines expectations for VoIP over IPSec.

Thank you

Chris

QoS is supported in 7.x code, you would have to level 501/506 to 7.x code, but this is not supported on these two models, the next logical solution would be to upgrade your PIX 501/506 to asa5505s.

Rgds

Jorge

Client VPN Cisco and Cisco Secure

Cisco VPN client and the VPN from Cisco Secure client free to use with pix firewall software?

Thank you.

Hello

If you have a valid contract to Cisco and you can get the following link:

http://www.Cisco.com/Kobayashi/SW-Center/SW-VPN.shtml

with your CCO login, then you should be able to use these customers at no cost because they are already covered by the contract.

Thank you and best regards,

Abdelouahed

-=-=-

Client VPN CISCO 857

Hello

I would like to know if CISCO 857 allows customers of Cisco VPN remote apart from site to site VPN software. I have heard that all cable cisco VPN devices allow connections to cisco VPN client software, is it true?

Thanks a lot for your help

Juan Manuel

Juan,

Let me explain a little further in order to clarify some of the terminology used, which could lead to confusion.

Router Cisco VPN may terminate the following types of tunnels.

Lan to Lan tunnels has.

b. dynamic tunnels of Lan to Lan

c. connections from VPN clients

d. ends for easy VPN clients

a & b are very similar

c & d are very similar

except - option c uses VPN (software) clients installed on the PC or MAC systems

Option d, material uses to connect to the IOS routers. You can use a router or a PIX firewall or a 3002 or ASA to connect to the Cisco router that would act as an IOS Easy VPN server. But the device to connect to the easy VPN server is called an easy VPN client.

Hope that explains the terminology a little more in detail.

To answer your question, safety feature Easy VPN client and server support.

And what you're trying to accomplish is option c. Thus, security feature option should work well for you.

Hope that explains your queries.

The rate of this post, if that helps!

Thank you

Gilbert

Client VPN on PIX needs to access DMZ

VPN clients 3.5 ending PIX 6.X cannot access hosts on a PIX DMZ interface. Journal reports of error that there is no 'translation group available outside' for the subnet of the VPN Client (from the vpngroup pool).

I should add the VPN client subnet to a nat (outside) device?

Can I add it to the nat inside?

Can I just add static to the DMZ hosts within the subnet interface because VPN clients can access the inside hosts?

(I have the subnets in the nat 0 sheep ACL)

Thanks and greetings

JT

You'll need to add is nat 0. You say in your () you have an acl sheep, for the perimeter network or the inside interface? You use the same access list to the sheep inside and dmz? You should separate if you use separate access list. Is your pool of client on a different subnet than your home network and dmz? It must be something like this:

Customer IP local pool 192.168.1.1 - 192.168.1.254

IP, add inside 10.10.10.1 255.255.255.0

Add 10.10.20.1 dmz IP 255.255.255.0

access-list sheep by 10.10.10.0 ip 255.255.255.0 192.168.1.0 255.255.255.0

nonatdmz list of access by IP 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

NAT (inside) 0 access-list sheep

NAT (dmz) 0-list of access nonatdmz

If this is correct then clear x, wr mem, reload. I hope this helps.

Kurtis Durrett

PS

If he did not, only can recommend the upgrade your client and pix because that is exactly how it should look, and if its does not work you are facing an additional feature you want.

client vpn Cisco pix 501

Similar Questions

Maybe you are looking for