VPN PPTP and PPPOE CLIENT ON PIX 501

Similar Questions

• VPN site-to-site between two PIX 501 with Client VPN access

  Site A and site B are connected with VPN Site to Site between two PIX 501.

  Also, site A is configured for remote access VPN client. If a remote client connects to Site A, it can only get access to the LAN of Site A, it cannot access anything whatsoever behind PIX on Site B.

  How is that possible for a VPN client connected to Site A to Site B?

  Thank you very much.

  Alex

  Bad and worse news:

  Bad: Not running the 7.0 series PIX cannot route traffic on the same interface, the traffic is recived. Version 7.0 solves this ipsec traffic.

  Even worse: PIX 501 can not be upgraded to 7.0...

  A couple of things to think about would be the upgrade to hardware that can run the new IOS or allowing a VPN R.A. on site B.

  HTH Please assess whether this is the case.

  Thank you

• VPN (PPTP) and mobile broadband - help me!

  Hello

  I got an SL500 and I use a card SIM of Fullrate, that works well (although when you press 'activate' in the wwan he said my access provider is not supported? but I can't log in, no problem).

  But then I have to connect to a VPN to my University to be able to use certain software licenses, it works well... for 10 minutes, then the wwan connection is lost and I can't reconnect. Vista repair functions, ipconfig/release/renew nothing works except a restart used.

  Help me! I am really frustrated...

  I've updated yesterday - there was an update of hdspa and I changed the global settings for the without thread is not allowed to turn, when idle, and it seems that helped. have used the high-speed and vpn all day and not a single interruption.

  Nice!

• ASA easy vpn server and ios client both need public ip

  Hello

  If someone can define that cisco asa 5525-x and cisco 2800 router ios can be customer both parties have public ip or only side server.

  Please clear my doubt

  Hello

  Then you can do with ezvpn himself. Take the below mentioned thing for example and configure accordingly for your scenario.

  http://www.Cisco.com/c/en/us/products/collateral/iOS-NX-OS-software/iOS-...

  Concerning

  Knockaert

• Cisco 3640 to the PIX 501 site 2 site VPN performance specifications.

  I intend on creating a site-2-site VPN in Star configuration with a Cisco 3640 as the hub and PIX 501 at the remote sites. My question is around the plug that I read.

  .

  The specifications for a PIX-501-BUN-K9 tell PIX 501 3DES Bundle (chassis, SW, 10 users, 3DES).

  .

  A question is what really "10 users. Which is the limit of the number of concurrent sessions, I have on the VPN at a given time, or that it means something else?

  .

  I also read the specs say that the Maximum number of VPN tunnels that can support a PIX 501 is 5. Because I'm not going to make a tunnel between the PIX 501 at the remote site and the 3640 on the central site, I think I would be OK. Is that correct or is the max value talk the maximum number of concurrent sessions on the tunnel tunnels?

  .

  Thank you.

  UDP traffic always creates a session in the PIX so that the return traffic will be allowed in. The UDP timeout is 2 minutes but IIRC. If you go around NAT with a statement of "nat 0" should not create an xlate I think.

  The real time is hard to say really, probably around 2 minutes for a UDP-only user, you would probably make a few 'local sho' orders on the PIX to really see for sure however.

• PIX 501 and VPN Linksys router (WRV200)

  I inherited a work where we have a Cisco PIX 501 firewall to a single site and Linksys WRV200 Router VPN on two other

  sites. Asked me to connect these routers Linksys firewall PIX via the VPN.

  According to me, the Linksys vpn routers can only connect via IPSec VPN, I'm looking for help on the configuration of the PIX 501 for the linksys to connect with the following, if possible.

  Key exchange method: Auto (IKE)

  Encryption: Auto, 3DES, AES128, AES192, AES256

  Authentication: MD5

  Pre Shared Key: xxx

  PFS: Enabled

  Life ISAKMP key: 28800

  Life of key IPSec: 3600

  The pix, I installed MDP and I tried to use the VPN wizard without result.

  I chose the following settings when you make the VPN Wizard:

  Type of VPN: remote VPN access

  Interface: outside

  Type of Client VPN device used: Cisco VPN Client

  (can choose customer of Cisco VPN 3000, MS Windows Client by using the client MS Windows using L2TP, PPTP)

  VPN clients group

  Name of Group: RabyEstates

  Pre Shared Key: rabytest

  Scope of the Client authentication: disabled

  Address pool

  Name of the cluster: VPN - LAN

  Starter course: 192.168.2.200

  End of row: 192.168.2.250

  Domain DNS/WINS/by default: no

  IKE policy

  Encryption: 3DES

  Authentication: MD5

  Diffie-Hellman group: Group 2 (1024 bits)

  Transform set

  Encryption: 3DES

  Authentication: MD5

  I have attached the log of the VPN Linksys router VPN.

  This is the first time that I have ever worked with PIX so I'm still trying to figure the thing to, but I'm confident with the CCNA level network.

  Thanks for your help!

  Hello

  Everything looks fine for me, try to have a computer in every network and ping between them. Check the newspapers/debug and fix them.

  Let me know.

  See you soon,.

  Daniel

• PPTP VPN pix 501 question

  I'm relatively new to the security stuff.  I'm a guy of the voice.  I created a Pix 501 for IPSEC VPN and works very well.  Then I tried it setting up PPTP VPN.  I use Windows XP to connect.  It connects fine, but I can't ping to the inside interface on the PIX.  I can do this by using IPSEC.  Any ideas?   Here is my config:

  :

  6.3 (3) version PIX

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the password * encrypted

  passwd * encrypted

  host name *.

  domain name *.

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol pptp 1723

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list 101 permit icmp any any echo response

  access-list 80 allow ip 10.0.0.0 255.255.255.0 192.168.5.0 255.255.255.0

  access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.5.0 255.255.255.0

  access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.6.0 255.255.255.0

  pager lines 24

  opening of session

  emergency logging console

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside of *. *. *. * 255.255.255.0

  IP address inside 10.0.0.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool pool1 192.168.5.100 - 192.168.5.200

  IP local pool pool2 192.168.6.100 - 192.168.6.200

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0 access-list sheep

  NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

  Access-group 101 in external interface

  Route outside 0.0.0.0 0.0.0.0 *. *. *. * 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  the ssh LOCAL console AAA authentication

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Sysopt connection permit-pptp

  Sysopt connection permit-l2tp

  Crypto ipsec transform-set high - esp-3des esp-sha-hmac

  Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

  Crypto dynamic-map cisco 4 strong transform-set - a

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  Cisco dynamic of the partners-card 20 crypto ipsec isakmp

  partner-map interface card crypto outside

  card crypto 10 PPTP ipsec-isakmp dynamic dynmap

  ISAKMP allows outside

  ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 8

  ISAKMP strategy 8 3des encryption

  ISAKMP strategy 8 md5 hash

  8 2 ISAKMP policy group

  ISAKMP life duration strategy 8 the 86400

  vpngroup address pool1 pool test

  vpngroup default-field lab118 test

  vpngroup split tunnel 80 test

  vpngroup test 1800 idle time

  Telnet timeout 5

  SSH 10.0.0.0 255.0.0.0 inside

  SSH 192.168.5.0 255.255.255.0 inside

  SSH 192.168.6.0 255.255.255.0 inside

  SSH timeout 5

  management-access inside

  Console timeout 0

  VPDN PPTP-VPDN-group accept dialin pptp

  VPDN group PPTP-VPDN-GROUP ppp authentication chap

  VPDN group PPTP-VPDN-GROUP ppp mschap authentication

  VPDN group PPTP-VPDN-GROUP ppp encryption mppe auto

  VPDN group VPDN GROUP-PPTP client configuration address local pool2

  VPDN group VPDN GROUP-PPTP client configuration dns 8.8.8.8

  VPDN group VPDN GROUP-PPTP pptp echo 60

  VPDN group VPDN GROUP-PPTP client for local authentication

  VPDN username bmeade password *.

  VPDN allow outside

  You will have to connect to an internal system inside and out run the PIX using pptp.

  For ssh access the PIX, you will also need additional configuration, see the section on code PIX pre 7.x, section access ssh to the security apparatus .

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#C4

  Concerning

• L2L pix 501 and remote access VPN

  Hi, I'm working on an old 501 PIX w / Software 6.3 (5), he already have access to remote VPN configuration and works very well, but now he needs a L2L implemented. One thing I try to do all the work remotely via VPN or ssh to the machine. I don't know what's on the other end, but they swear that it is set up and maybe my problem is when I start putting in orders for the other VPN it breaks the remote VPN access. One thing that I have to do is NAT a host on the inside to appear as another host on the end. I use these commands and I think it works cannot be said.

  access-list 101 permit ip remote_network 255.255.255.0 local_server host

  public static 10.1.0.203 (inside, outside) - access list 101

  then

  access-list 102 permit ip host 10.1.0.203 192.168.50.83
  access-list 102 permit ip host 10.1.0.203 192.168.50.86
  access-list 102 permit ip host 10.1.0.203 192.168.50.50
  access-list 102 permit ip host 10.1.0.203 192.168.50.85

  and use it to match against

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  EMDs-map 10 ipsec-isakmp crypto map
  correspondence address card crypto emds-map 10 102
  card crypto emds-map 10 peers set remote_vpn_server
  card crypto emds-card 10 set of transformation-ESP-3DES-SHA

  then

  ISAKMP key magic_key address remote_vpn_server netmask 255.255.255.255
  ISAKMP identity hostname
  part of pre authentication ISAKMP policy 10
  ISAKMP policy 10 3des encryption
  ISAKMP policy 10 sha hash
  10 1 ISAKMP policy group
  ISAKMP life duration strategy 10 86400

  and that is where it usually breaks the VPN, I don't know if the other VPN works due to not being not able to get to this server to try to ping, I don't really like to try this stuff remotely but I don't have a lot of choice at the moment.

  Any thoughts?

  Thank you

  Jarrid Graham

  Yes, just use the number of different sequence with 1 name of the crypto map. Please also ensure that your dynamic crypto map, which is your vpn client has the sequence down the crypto map (more), because you want to make sure that the static crypto map (for lan-to-lan tunnel has higher sequence number (lower number)).

  The political isakmp sequence number does not match, it is processed from top to bottom (number less than the high number) and also long 1 set of isakmp policy corresponds to the remote peer, it will be negotiated properly.

  Hope that answers your question and please note useful post. Thank you.

• VPN between cisco unified customer 3.6.3 and Pix 501 6.2 (1) with the MS CA server

  Hello

  I have Microsoft CA server with the latest support CEP and pix 501 that gets the digital certificate. I also have the client certificate of Cisco, but VPN doesn't work

  In the IPSec Log Viewer, I constantly "CM_IKE_ESTABLISH_FAIL."

  It worked well prior to Win2k server has been completely updated with the latest patches.

  The pix configuration is identical to that of article http://www.cisco.com/warp/public/471/configipsecsmart.html

  I reinstall the stand-alone CA and support CEP server but not had any luck.

  What could be wrong?

  It looks like IKE implementation problem. Make DH group 2 policy ISAKMP.

  Visit this link:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_v53/IPSec/exvpncl.htm

• Number of VPN clients behind a PIX 501, restriction?

  Is there a restriction in the number of VPN clients can be behind a PIX 501. Is is just limited by the number of hosts (10, 50, Unlimited)?

  Hello

  Behind a PIX VPN clients. Will you use NAT - T (must). It will be limited only to the number of users (normal users) through the PIX. So if you have a license to use 10 or 50 then the VPN connection is counted in this list.

  Connection VPN Client through PIX is not IKE tunnel. They are normal UDP500 and UDP4500 peers.

  Vikas

• L2l IPSec VPN 3000 and PIX 501

  Hello

  I have a remote site that has a broadband internet connection and uses a PIX 501.  We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.

  I followed the following documentation:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml#tshoot

  However the L2L session does not appear on the hub when I check the active sessions.

  The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.

  Any help or advice are appreciated.

  I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.

  For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.

  Here is an example of sample config

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

  I hope this helps!

• PIX 501 - VPN - based

  Hello

  I am considering the implementation of a vpn pptp on win2k server behind a pix 501 firewall (+ nat) with only 1 static IP address. I will also have to have at least 2-3 Terminal Server client connected simultaneously.

  The Terminal Server service will pass through vpn tunnel.

  Can this be achieved? A local Tech told me that I need at least 2 IP addresses.

  Thank you

  Mike

  For Terminal Server services, you can do it with just an IP address that is assigned to the external interface of the PIX, just create a static mapped port to port 3389 thru peripheral inward.

  For PPTP, you must however an IP address separate, different from that assigned to the PIX outside the int. This is because PPTP uses two TCP/1723 and GRE protocols. You can create a static mapped ports for TCP/1723 through the PPTP server, but you can't do it for the GRE. This is because GRE is not a TCP/UDP protocol, it is located just above IP and has therefore no port number to map through. You need an IP address unique address and card. You config should look like this:

  list of allowed inbound tcp access any host 200.1.1.1 eq 1723

  list of allowed incoming access will any host 200.1.1.1

  Access-group interface incoming outside

  public static 200.1.1.1 (indoor, outdoor) 10.1.1.1 netmask 255.255.255.255

  where 200.1.1.1 is your second (different from the PIX off int) routable IP address 10.1.1.1 is your PPTP server inside

  If you only want to use an IP address, why don't the PIX not set itself up as a PPTP server and put an end to your connections on this. The PPTP client end simply on the PIX outside IP address, and you will not need all the others.

  See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml for more details.

• A PIX 501 can connect to a VPN service?

  Can a PIX 501 6.3 (4) establish a VPN to a supplier like www.privateinternetaccess.com?  They claim to support PPTP and L2TP/IPSEC.  If so, how the PIX should be configured?

  Thank you.

  No, none of the networking gear (Inc. ASA) can be configured as PPTP and L2TP over IPSec client client.

  Both are PC or MAC software.

• IPSec VPN pix 501 no LAN access

  I'm trying to set up an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet, but I am unable to ping or you connect to all devices in the Remote LAN. Here is my config:

  : Saved

  :

  6.3 (3) version PIX

  interface ethernet0 car

  interface ethernet1 100full

  nameif ethernet0 WAN security0

  nameif ethernet1 LAN security99

  enable encrypted password xxxxxxxxxxxxx

  xxxxxxxxxxxxxxxxx encrypted passwd

  host name snowball

  domain xxxxxxxxxxxx.local

  clock timezone PST - 8

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol pptp 1723

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  No fixup not protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  acl_in list of access permit udp any any eq field

  acl_in list of access permit udp any eq field all

  acl_in list access permit tcp any any eq field

  acl_in tcp allowed access list any domain eq everything

  acl_in list access permit icmp any any echo response

  access-list acl_in allow icmp all once exceed

  acl_in list all permitted access all unreachable icmp

  acl_in list access permit tcp any any eq ssh

  acl_in list access permit tcp any any eq www

  acl_in tcp allowed access list everything all https eq

  acl_in list access permit tcp any host 192.168.5.30 eq 81

  acl_in list access permit tcp any host 192.168.5.30 eq 8081

  acl_in list access permit tcp any host 192.168.5.22 eq 8081

  acl_in list access permit icmp any any echo

  access-list acl_in permit tcp host 76.248.x.x a

  access-list acl_in permit tcp host 76.248.x.x a

  allow udp host 76.248.x.x one Access-list acl_in

  access-list acl_out permit icmp any one

  ip access list acl_out permit a whole

  acl_out list access permit icmp any any echo response

  acl_out list access permit icmp any any source-quench

  allowed any access list acl_out all unreachable icmp

  access-list acl_out permit icmp any once exceed

  acl_out list access permit icmp any any echo

  Allow Access-list no. - nat icmp a whole

  access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

  access-list no. - nat ip 172.16.0.0 allow 255.255.0.0 any

  access-list no. - nat permit icmp any any echo response

  access-list no. - nat permit icmp any any source-quench

  access-list no. - nat icmp permitted all all inaccessible

  access-list no. - nat allow icmp all once exceed

  access-list no. - nat permit icmp any any echo

  pager lines 24

  MTU 1500 WAN

  MTU 1500 LAN

  IP address WAN 65.74.x.x 255.255.255.240

  address 192.168.5.1 LAN IP 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool pptppool 172.16.0.2 - 172.16.0.13

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global (WAN) 1 interface

  NAT (LAN) - access list 0 no - nat

  NAT (LAN) 1 0.0.0.0 0.0.0.0 0 0

  static (LAN, WAN) 65.x.x.37 192.168.5.10 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.36 192.168.5.20 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.38 192.168.5.30 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.39 192.168.5.40 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.42 192.168.5.22 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.43 192.168.5.45 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.44 192.168.5.41 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.45 192.168.5.42 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.46 192.168.5.44 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.41 192.168.5.21 netmask 255.255.255.255 0 0

  acl_in access to the WAN interface group

  access to the LAN interface group acl_out

  Route WAN 0.0.0.0 0.0.0.0 65.x.x.34 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  NTP server 72.14.188.195 source WAN

  survey of 76.248.x.x WAN host SNMP Server

  location of Server SNMP Sacramento

  SNMP Server contact [email protected] / * /

  SNMP-Server Community xxxxxxxxxxxxx

  SNMP-Server enable traps

  enable floodguard

  the string 1 WAN fragment

  Permitted connection ipsec sysopt

  Sysopt connection permit-pptp

  Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  client configuration address map mymap crypto initiate

  client configuration address map mymap crypto answer

  card crypto mymap WAN interface

  ISAKMP enable WAN

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup myvpn address pptppool pool

  vpngroup myvpn Server dns 192.168.5.44

  vpngroup myvpn by default-field xxxxxxxxx.local

  vpngroup split myvpn No. - nat tunnel

  vpngroup idle 1800 myvpn-time

  vpngroup myvpn password *.

  Telnet 192.168.5.0 255.255.255.0 LAN

  Telnet timeout 5

  SSH 192.168.5.0 255.255.255.0 LAN

  SSH timeout 30

  Console timeout 0

  VPDN group pptpusers accept dialin pptp

  VPDN group ppp authentication pap pptpusers

  VPDN group ppp authentication chap pptpusers

  VPDN group ppp mschap authentication pptpusers

  VPDN group ppp encryption mppe 128 pptpusers

  VPDN group pptpusers client configuration address local pptppool

  VPDN group pptpusers customer 192.168.5.44 dns configuration

  VPDN group pptpusers pptp echo 60

  VPDN group customer pptpusers of local authentication

  VPDN username password xxx *.

  VPDN username password xxx *.

  VPDN enable WAN

  dhcpd address 192.168.5.200 - 192.168.5.220 LAN

  dhcpd 192.168.5.44 dns 8.8.8.8

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd enable LAN

  username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

  username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

  Terminal width 80

  Cryptochecksum:xxxxxxxxxxxxxxxxxx

  : end

  I'm sure it has something to do with NAT or an access list, but I can't understand it at all. I know it's a basic question, but I would really appreaciate help!
  Thank you very much
  Trevor

  "No. - nat' ACL doesn't seem correct, please make sure you want to remove the following text:

  do not allow any No. - nat icmp access list a whole

  No No. - nat ip 172.16.0.0 access list allow 255.255.0.0 any

  No No. - nat access list permit icmp any any echo response

  No No. - nat access list permit icmp any any source-quench

  No No. - nat access list permit all all unreachable icmp

  No No. - nat access list do not allow icmp all once exceed

  No No. - nat access list only allowed icmp no echo

  You must have 1 line as follows:

  access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

  Please 'clear xlate' after the changes described above.

  In addition, if you have a personal firewall enabled on the host you are trying to connect from the Client VPN, please turn it off and try again. Personal firewall of Windows normally blocks the traffic of different subnets.

  Hope that helps.

• How to configure the PPPoE on PIX 501?

  Mailto: [email protected] / * /

  MSN: [email protected] / * /

  According to the below URL Cisco TAC:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00801055dd.shtml

  but I always failed. And my PIX 501 Configuration noted below:

  pixfirewall # write terminal

  Building configuration...

  : Saved

  :

  6.3 (1) version PIX

  interface ethernet0 10baset

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable password xxxx

  passwd xxxx

  pixfirewall hostname

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  names of

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside pppoe setroute

  IP address inside 192.168.1.254 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Route inside 10.0.0.0 255.0.0.0 192.168.1.1 1

  Route inside 20.0.0.0 255.0.0.0 192.168.1.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN group pppoex request dialout pppoe

  Cisco localname VPDN group pppoex

  VPDN group ppp authentication pap pppoex

  VPDN username xxxx password *.

  Terminal width 80

  Cryptochecksum:xxxx

  : end

  [OK]

  See the pixfirewall version #.

  Cisco PIX Firewall Version 6.3 (1)

  Cisco PIX Device Manager Version 1.1 (2)

  Updated Thursday 19 March 03 11:49 by Manu

  pixfirewall until 58 mins 6 dry

  Material: PIX - 501, 16 MB RAM, 133 MHz Am5x86 CPU

  Flash E28F640J3 @ 0 x 3000000, 8 MB

  BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

  0: ethernet0: the address is 000b.fd58.886b, irq 9

  1: ethernet1: the address is 000b.fd58.886c, irq 10

  Features licensed:

  Failover: disabled

  VPN - A: enabled

  VPN-3DES-AES: enabled

  Maximum Interfaces: 2

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal hosts: 50

  Throughput: unlimited

  you have all the debugging logs?