Take a look at this Configuring Cisco Secure PIX and VPN Client Doc:
formatting link
The only command you need adding that is not in the document is:
isakmp nat-traversal
Perhaps you can post the config?
If you have a split tunneling problem.
The idea of split tunneling is that you use an ACL to define what should go down the VPN, then everything else goes onto the internet unencrypted.
So using "permit ip any any" as the split tunnel ACL is rather defeating the point of it.
More usual to be "permit ip [vpn_user_subnet] [office_subnets]".
Those that can help you can't be sure without seeing the CLI config.
With a nat-traversal problem a user can connect, send traffic down the tunnel, but gets nothing back when PIX drops it because the user peer IP does not match IP in the packet header.
------------------------
How to Configure the Cisco VPN Client to PIX with AES:
formatting link
Configuring VPN Client:
formatting link
------------------------
Sample codes for configuring Remote VPN Access on a PIX:
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0
255.255.255.0 access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0
255.255.255.0
nat (inside) 0 access-list 101
isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400
isakmp identity address isakmp nat-traversal 20
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
ip local pool ippool 10.1.1.11-10.1.1.21
vpngroup vpnclient address-pool ippool vpngroup vpnclient idle-time 1800 vpngroup vpnclient dns-server 139.130.4.4 vpngroup vpnclient password cisco456 vpngroup vpnclient split-tunnel 120
crypto dynamic-map dynmap 10 set transform-set vpnset crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap
username cisco password cisco123
aaa-server LOCAL protocol local crypto map remote_vpn client authentication LOCAL crypto map remote_vpn client configuration address initiate crypto map remote_vpn client configuration address respond
Regarding the VPN Client, just simply install it by following the instruction on screen, click "new":
"connection entry" a name for your reference "host" public ip of the pix 501 "name" vpnclient "password" cisco456
To initiate a tunnel, double click the entry you just created.
It will then prompt you for individual username and password ( it's cisco and cisco123 ).
------------------------
Sincerely,
Brad Reese Cisco Product Quick Reference Guides, CPQRG
formatting link