Can connect to PIX 501 with VPN client and ping internal addresses but some issues

Discussion in 'Cisco' started by mgferg, Oct 28, 2008.

  1. mgferg


    Oct 28, 2008
    Likes Received:
    Internet---x.x.x.x---ADSL--<----> (

    I have to use the ADSL with NAT (and not bridge) as provider does not
    support PPPoE only PPPoA
    I can connect with Cisco VPN client 4.0.3(C)
    I can ping/telnet to any address on network
    What I can't do is map a drive to any of the other XP hosts on the network
    I also get the following occurring within the log "No route to from"

    Main parts of the config are posted below.

    1. Why the error "No route to from" ?

    2. Although I can remote desktop, I tried to mount a network drive to another XP box which failed.

    Log shows:
    UDP request discarded from to inside:

    So is there something we need to do to get all traffic to access anything on (and vice versa)

    3. Are the following required in order to get to the network once connected via VPN using pool ?
    (tried lots to get things to work and not sure if this is required or not, but main functionality is finally working and posting this via vpn)

    access-list outside_crypto permit ip any
    crypto dynamic-map dynmap 10 match address outside_crypto

    4. Any glaring problems/things that should be changed/removed?

    5. Above is the main requirement. I also have an issue getting "no
    translation group found" when trying to connect via Putty to (Dune) using SSH tunnel on port 443.
    ADSL modem has NAT/PAT set to forward to (Dune) incoming
    443 outgoing 443

    tried various options and currently:
    access-list outside_access_in permit ip any host Dune
    static (inside,outside) tcp interface https Dune https netmask 0 0

    What do I need to do for this to work/remove the "no translation group found" issue?
    (I don't have immediate access now, so may post a seperate query on this if there's no "simple" answer.


    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100


    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name Dune

    access-list outside_access_in permit ip
    interface inside log
    access-list outside_access_in permit ip any host Dune
    access-list outside_access_in permit tcp any interface outside eq https
    access-list 101 permit ip
    access-list outside_crypto permit ip any

    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside

    ip local pool ippool mask

    pdm location Dune inside
    pdm location inside
    pdm location outside
    pdm location outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0 0
    static (inside,outside) tcp interface https Dune https netmask 0 0
    access-group outside_access_in in interface outside
    rip inside default version 2
    route outside 1

    management-access insidetelnet insidehttp inside
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 match address outside_crypto
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpn3000 address-pool ippool
    vpngroup vpn3000 dns-server
    vpngroup vpn3000 wins-server
    vpngroup vpn3000 default-domain
    vpngroup vpn3000 idle-time 1800
    vpngroup vpn3000 password ********
    telnet inside
    telnet timeout 60
    ssh timeout 5
    console timeout 0
    dhcpd address inside
    dhcpd dns
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    mgferg, Oct 28, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.