# Cisco VPN client - PIX 315 - users connect but cannot ping or communicate



## rseier (Jan 18, 2008)

I have configured a PIX 315 to allow VPN connections and authenticate users through Active Directory. Users can authenticate, but cannot go anywhere once they are connected.

Any help you can provide would be MOST APPRECIATED!

access-list INET_IN permit icmp any any echo-reply
access-list INET_IN permit icmp any any time-exceeded
access-list INET_IN permit tcp any host x.x.x.x eq www
access-list INET_IN permit tcp any host x.x.x.x eq https
access-list INET_IN permit tcp any host x.x.x.x eq ftp
access-list INET_IN permit tcp host x.x.x.x host x.x.x.x eq 3389
access-list INET_IN deny tcp any host x.x.x.x eq 41794
access-list INET_IN deny tcp any host x.x.x.x eq 41795
access-list INET_IN permit tcp any host x.x.x.x eq h323
access-list INET_IN permit tcp any host x.x.x.x eq 3230
access-list INET_IN permit tcp any host x.x.x.x eq 3231
access-list INET_IN permit tcp any host x.x.x.x eq 3232
access-list INET_IN permit tcp any host x.x.x.x eq 3233
access-list INET_IN permit tcp any host x.x.x.x eq 3234
access-list INET_IN permit tcp any host x.x.x.x eq 3235
access-list INET_IN permit udp any host x.x.x.x eq 3235
access-list INET_IN permit udp any host x.x.x.x eq 3236
access-list INET_IN permit udp any host x.x.x.x eq 3237
access-list INET_IN permit udp any host x.x.x.x eq 3238
access-list INET_IN permit udp any host x.x.x.x eq 3239
access-list INET_IN permit udp any host x.x.x.x eq 3240
access-list INET_IN permit udp any host x.x.x.x eq 3241
access-list INET_IN permit udp any host x.x.x.x eq 3242
access-list INET_IN permit udp any host x.x.x.x eq 3243
access-list INET_IN permit udp any host x.x.x.x eq 3244
access-list INET_IN permit udp any host x.x.x.x eq 3245
access-list INET_IN permit udp any host x.x.x.x eq 3246
access-list INET_IN permit udp any host x.x.x.x eq 3247
access-list INET_IN permit udp any host x.x.x.x eq 3248
access-list INET_IN permit udp any host x.x.x.x eq 3249
access-list INET_IN permit udp any host x.x.x.x eq 3250
access-list INET_IN permit udp any host x.x.x.x eq 3251
access-list INET_IN permit udp any host x.x.x.x eq 3252
access-list INET_IN permit udp any host x.x.x.x eq 3253
access-list INET_IN permit udp any host x.x.x.x eq 3254
access-list INET_IN permit udp any host x.x.x.x eq 3255
access-list INET_IN permit udp any host x.x.x.x eq 3256
access-list INET_IN permit udp any host x.x.x.x eq 3257
access-list INET_IN permit udp any host x.x.x.x eq 3258

access-list inside_outbound_nat0_acl permit ip any 192.168.169.208 255.255.255.240

access-list outside_cryptomap_dyn_20 permit ip any 192.168.169.208 255.255.255.240

access-list 101 permit ip 192.168.169.0 255.255.255.0 192.168.168.0 255.255.255.0

access-list 101 permit ip 192.168.170.0 255.255.255.0 192.168.168.0 255.255.255.0

access-list 101 permit ip 192.168.168.0 255.255.255.0 192.168.169.0 255.255.255.0

access-list 101 permit ip 192.168.168.0 255.255.255.0 192.168.170.0 255.255.255.0

access-list split_tunnel_acl permit ip any any

ip address outside x.x.x.18 255.255.255.248

ip address inside 192.168.169.22 255.255.255.0

ip local pool VPN 192.168.169.210-192.168.169.219 mask 255.255.255.0

global (outside) 1 x.x.x.19

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list 101 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.x LAB1-Server netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.169.210 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x Polycom_VS4000 dns netmask 255.255.255.255 0 0

access-group INET_IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.17 1

route inside 192.168.0.0 255.255.0.0 192.168.169.21 1

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host LAB2-Server <shared pw> timeout 5

sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_MD5

crypto dynamic-map dynmap 10 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth

crypto map mymap interface outside
isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool VPN
vpngroup vpn3000 dns-server LAB2-Server
vpngroup vpn3000 wins-server LAB1-Server
vpngroup vpn3000 default-domain <domain-name>
vpngroup vpn3000 split-tunnel split_tunnel_acl
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********


----------

