I believe that your IPPOOLS ip range should be different from your local LAN so that they can communicate. Maybe make it 172.16.4.1-172.16.4.31 Then build an access-list for the Clients that goes inside address, pool address access-list CLIENTS permit ip 172.16.3.0 255.255.255.0 172.16.4.0 255.255.255.224 The above gets you to the London LAN access-list CLIENTS permit ip 192.168.30 255.255.255.0 172.16.4.0 255.255.255.224 This gets your clients to the HK LAN access-list CLIENTS permit ip 10.10.0.0 255.255.0.0 172.16.4.0 255.255.255.255.224 This gets you to the Tokyo LAN Obviously Hong Kong and Tokyo will have to permit traffic from their LAN to the Client IPPOOLS range of addresses. You have a line "nat (inside) 0 access-list nonat" but there is no access-list "nonat" There is an access-list "no-nat" Just erase that and create an access-list (try the name VPNs) that has all the information in acl 111, 112, and CLIENTS. Use that acl in your nat 0 statement. There is a more elegant way to do this last step. Not sure which version allows it. There are several books on PIX configuration available. "Cisco Secure PIX Firewalls" by Chapman and Fox, Cisco Press, ISBN 1587050358 "Cisco PIX Firewalls" by Richard Deal, Osborne McGraw Hill, ISBN 0072225238 I'd suggest you buy both.
-----Original Message----- From: Steven shinnick [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2003 10:56 PM To: Daniel Cotts; [EMAIL PROTECTED] Subject: RE: VPN client can connect but no traffic can pass [7:70084] Hey... Attached is my full config. I think I have to specify and access list to make No NAT for my IPPOOLS traffic right. For example I specified "ip local pool IPPOOLS 172.16.3.11-172.16.3.20" which is same network as my local LAN, then I got to specify the following access list to make "No NAT" for the IPSec traffic right? But I am curious to see many example on the web that they specify IPPOOLS which is not the same network as the local LAN. Why? Can it connect if IPPOOLS not the same subnet as LAN? access-list no_nat permit ip 172.16.3.0 255.255.255.0 172.16.3.0 255.255.0.0 BUT... I have another more serious issue. After I added in the config for the remote VPN, my PIX-PIX VPN to my HK and Tokyo PIX will HANG after some time and it doesn't happen immediately (after 8-9 hours). Can you see my following config about what's wrong? LONPIX# wr term Building configuration... : Saved : PIX Version 6.0 nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxx encrypted passwd xxxxxxxx encrypted hostname LONPIX domain-name xxx.co.uk fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name 70.7.75.150 HKpix name 20.2.25.150 tokpix access-list 111 permit ip 172.16.3.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 112 permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 access-list no_nat permit ip 172.16.3.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list no_nat permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 no pager logg! ing on logging buffered errors logging trap errors logging history errors logging facility 18 logging host inside 172.16.3.101 no logging message 400010 interface ethernet0 100basetx interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 103.103.130.130 255.255.255.240 ip address inside 172.16.3.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool IPPOOLS 172.16.3.11-172.16.3.20 pdm history enable arp timeout 14400 global (outside) 1 103.103.103.131 nat (inside) 0 access-list nonat nat (inside) 1 172.16.3.0 255.255.255.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 103.103.103.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius a! aa-server LOCAL protocol local aaa-server RS protocol radius aa a-server RS (inside) host 172.16.3.101 RSKEY timeout 5 aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set lonset esp-des esp-md5-hmac crypto dynamic-map outside_dyn 30 set transform-set lonset crypto map lonmap 10 ipsec-isakmp crypto map lonmap 10 match address 111 crypto map lonmap 10 set peer hkpix crypto map lonmap 10 set transform-set lonset crypto map lonmap 20 ipsec-isakmp crypto map lonmap 20 match address 112 crypto map lonmap 20 set peer tokpix crypto map lonmap 20 set transform-set lonset crypto map lonmap 30 ipsec-isakmp dynamic outside_dyn crypto map lonmap interface outside crypto map lonmap client authentication RS isakmp enable outside isakmp key ******** address hkpix netmask 255.255.255.255 isakmp key! ******** address tokpix netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup GROUP address-pool IPPOOLS vpngroup GROUP dns-server 172.16.3.101 vpngroup GROUP wins-server 172.16.3.101 vpngroup GROUP default-domain company.com vpngroup GROUP idle-time 1000 vpngroup GROUP password ******** telnet 172.16.3.0 255.255.255.0 inside telnet timeout 60 ssh 172.16.3.0 255.255.255.0 inside ssh timeout 60 username pix password xxxxxxx encrypted privilege 2 username user1 password xxxxxxxx encrypted privilege 2 terminal width 100 Cryptochecksum:xxxxxxxxxxxxxxxxxxx : end [OK] Daniel Cotts wrote: It helps for us to see your sanitized config. I'll guess and suggest that you check for an access-list specifying what resources your pool addresses can reach. You will then need to reference that access-list in a nat 0 command. You can only have one nat 0 line pointing to an access-list. If you have several access-lists that don't need to be NATed then you have to create another that concatenates everything in all acls = MONGO_ACL. Then use the MONGO_ACL in your nat 0 statement. If you later remove and modify the acl it will also remove a line from your vpn config. I forget which one - but the result will be no traffic will traverse the PIX. So keep copies of your configs. > -----Original Message----- > From: Steven shinnick [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 03, 2003 1:04 PM > To: [EMAIL PROTECTED] ! > Subject: VPN client can connect but no traffic can pass [7:70084] > > > I had installed a VPN client in home PC to connect to PIX in > my company. It > can connect and get authenticated and login. But I can't > ping and talk to > any PCs in my company. why?? I specify the IPPOOLS in my > PIX config. It > means my VPN client will get these IP right? But how about > subnet mask? How > do PIX know what subnet mask to give? > > ip local pool IPPOOLS 10.1.1.241-100.1.1.250 > > > --------------------------------- > Do you Yahoo!? > Free online calendar with sync to Outlook(TM). > http://www.groupstudy.com/lis! t/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _____ Do you Yahoo!? Free online calendar with sync to Outlook(TM). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70138&t=70084 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]