I am trying to get clients runnign Cisco VPN software to connect to my internal network. currently the clients can connect and authenticate ok but can't see anything on the inside network. I can not ping the client from the 515. Here are the relevent config bits. I can not enable "sysopt connection ipsec-enable" because of other VPN connections I need to control traffic on. Any ideas?
Thanks,
--AJ
PIX Version 6.3(4) nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list acl_out_test permit icmp any any echo-reply access-list acl_out_test permit icmp any any time-exceeded access-list acl_out_test permit icmp any any unreachable access-list acl_out_test permit icmp any any access-list acl_out_test permit ip 10.0.18.0 255.255.255.0 host
10.0.0.212 access-list acl_out_test permit ip host 10.0.0.212 10.0.18.0 255.255.255.0 access-list VPNs permit ip 10.18.0.0 255.255.255.0 10.0.0.0 255.255.0.0 access-list VPNs permit ip 10.0.0.0 255.255.0.0 10.18.0.0 255.255.255.0 access-list VPNs permit ip 10.0.101.0 255.255.255.240 host 10.200.2.91 access-list VPNs permit ip 10.0.98.0 255.255.255.240 host 10.200.2.91 ip address outside xx.xx.xx.253 255.255.255.224 ip address inside 10.0.255.240 255.255.0.0 ip local pool VPNPOOL 10.18.0.1-10.18.0.20 mask 255.255.255.0 global (outside) 1 xx.xx.xx.227 nat (inside) 0 access-list VPNs nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) xx.xx.xx.225 10.0.0.208 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.226 10.0.0.210 netmask 255.255.255.255 0 0 access-group acl_out_test in interface outside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.254 1 route inside 10.1.1.0 255.255.255.0 10.0.255.240 1 route inside 10.32.1.0 255.255.255.0 10.0.255.240 1 crypto ipsec transform-set VPNset esp-3des esp-md5-hmac crypto dynamic-map cVPNdymap 10 set transform-set VPNset crypto map VPNcrypto 10 ipsec-isakmp crypto map VPNcrypto 10 match address VPNs crypto map VPNcrypto 10 set peer xxx.xxx.xxx.251 crypto map VPNcrypto 10 set transform-set VPNset crypto map VPNcrypto 65530 ipsec-isakmp dynamic cVPNdymap crypto map VPNcrypto client authentication partnerauth crypto map VPNcrypto interface outside isakmp enable outside isakmp key **************** address xxx.xxx.xxx.251 netmask 255.255.255.255 isakmp identity address isakmp nat-traversal 20 isakmp policy 600 authentication pre-share isakmp policy 600 encryption 3des isakmp policy 600 hash md5 isakmp policy 600 group 2 isakmp policy 600 lifetime 86400 vpngroup TESTVPN address-pool VPNPOOL vpngroup TESTVPN dns-server 10.0.0.202 10.0.0.212 vpngroup TESTVPN wins-server 10.0.0.202 10.0.0.212 vpngroup TESTVPN default-domain testdom.com vpngroup TESTVPN idle-time 1800 vpngroup TESTVPN password *********************