Hello Everybody, Sorry for comming out with problem to the list. I am trying to setup VPN PIX1-to-PIX2 & PIX1-to-remote users(Cisco secure VPN client 1.1) PIX to PIX works fine but I am having problem with cisco secure client getting into network behind the PIX. Secure client establises SA with PIX, but I can't ping anything behind. I think I am doing something wrong with config but can't figureout wht is that. Can somebody check these configs & tell me where i am doing wrong. Here are my configs Cisco PIX 1 (vpn related configs only) access-list acl_out permit icmp any any access-list 110 permit ip 192.168.172.0 255.255.255.0 10.1.0.0 255.255.255.0 access-list 100 permit ip 192.168.172.0 255.255.255.0 10.1.0.0 255.255.255.0 ip address outside XX.XX.XX.XX 255.255.255.0 ip address inside 192.168.172.1 255.255.255.0 ip local pool vpnpool 192.168.172.200-192.168.172.225 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 192.168.172.0 255.255.255.0 0 0 access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1 sysopt connection permit-ipsec sysopt ipsec pl-compatible no sysopt route dnat crypto ipsec transform-set standard esp-3des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set standard crypto map peer_map 10 ipsec-isakmp crypto map peer_map 10 match address 110 crypto map peer_map 10 set peer xx.xx.xx.xx crypto map peer_map 10 set transform-set standard crypto map peer_map 5 ipsec-isakmp dynamic dynmap crypto map peer_map client configuration address initiate crypto map peer_map client configuration address respond crypto map peer_map interface outside isakmp enable outside isakmp key xxxxxx address xx.xx.xx.xx netmask 255.255.255.255 no-config-mode isakmp key xxxxxxxx address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local vpnpool outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 3600 Cisco Secure Client 1.1 Connection 1: Secure Remote Party Identity: ID Type: IP Subnet Subnet 192.168.172.0 Mask: 255.255.255.0 Protocol: All Gateway: PIX IP address Phase1 : Pre-shared Key, 3DES, MD5, DH Group1 Phase2: 3DES, MD5, Tunnel Other Connections: Non Secure I am hoping this secure client 1.1 config is correct. Does this do split tunnel allowing all connections except except 192.168.172.0 to internet without going to PIX? Can I use Cisco's new Unified Client with PIX without using authentication server along with PIX ? Thanks in advance john __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15206&t=15206 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]