Hi gents, I have a problem with my pix, it has vpn tunnels configured, and I'm trying to configure a vpn client, I've done this in other pix without any problem , but it seems I forgot something and here it doesn't work. I creat a vpn pool , to the vpn group, then I put the address of the pool in my NAT access-list , and create an access-list to the vpn group so it can access my network, I had some problems with isakmp because I don't have 3des encryptation , is it really necesary? Please take a look to my config because I've been fighting 3 days with this and I'm starting to lose my nerve. thanks and regards. isakmp policy 21 is superceded by identical policy 20 : Saved : PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 enable password ZlGq2vBPmW8hXSpI encrypted passwd ZlGq2vBPmW8hXSpI encrypted hostname pixvalencia domain-name valdisme.net fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in permit icmp any any access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list nonat_acl permit ip any 172.16.1.0 255.255.255.0 access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list remote_castellon_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list remote_castellon_acl permit icmp 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list remote_alicante_acl permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list remote_alicante_acl permit icmp 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list remote_benidorm_acl permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list remote_benidorm_acl permit icmp 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list remote_murcia_acl permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list remote_murcia_acl permit icmp 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list remote_madrid_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list remote_madrid_acl permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list tst_vpndecom_split_tunnel_acl permit ip 192.168.1.0 255.255.255.0 any access-list red_interna permit ip 192.168.1.0 255.255.255.0 any pager lines 24 logging timestamp logging trap debugging logging host inside 192.168.1.26 mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 10.200.100.253 255.255.0.0 ip address inside 192.168.1.1 255.255.255.0 ip address intf2 192.168.20.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpndecom_pool 172.16.1.1 pdm location 0.0.0.0 0.0.0.0 outside pdm location 192.168.20.0 255.255.255.0 inside pdm location 10.200.0.0 255.255.0.0 inside pdm location 192.168.1.50 255.255.255.255 inside pdm location 192.168.20.20 255.255.255.255 intf2 pdm location 192.168.5.0 255.255.255.0 outside pdm location 80.38.105.29 255.255.255.255 outside pdm location 192.168.2.0 255.255.255.0 outside pdm location 192.168.3.0 255.255.255.0 outside pdm location 192.168.4.0 255.255.255.0 outside pdm location 192.168.6.0 255.255.255.0 outside pdm location 192.168.2.0 255.255.255.0 intf2 pdm location 192.168.3.0 255.255.255.0 intf2 pdm location 192.168.4.0 255.255.255.0 intf2 pdm location 192.168.5.0 255.255.255.0 intf2 pdm location 192.168.6.0 255.255.255.0 intf2 pdm location 192.168.1.26 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (intf2) 1 interface nat (inside) 0 access-list nonat_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (intf2) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 10.200.100.250 1 route outside 80.38.105.29 255.255.255.255 10.200.100.190 1 timeout xlate 3:00:00 timeout conn 2:00:00 half-closed 0:10:00 udp 2:00:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 2:00:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.200.0.0 255.255.0.0 outside http 192.168.1.0 255.255.255.0 inside http 192.168.20.0 255.255.255.0 intf2 no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set myset crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address remote_castellon_acl crypto map newmap 10 set peer 10.201.100.253 crypto map newmap 10 set transform-set myset crypto map newmap 11 ipsec-isakmp crypto map newmap 11 match address remote_alicante_acl crypto map newmap 11 set peer 10.202.100.253 crypto map newmap 11 set transform-set myset crypto map newmap 12 ipsec-isakmp crypto map newmap 12 match address remote_benidorm_acl crypto map newmap 12 set peer 10.205.100.253 crypto map newmap 12 set transform-set myset crypto map newmap 13 ipsec-isakmp crypto map newmap 13 match address remote_murcia_acl crypto map newmap 13 set peer 10.203.100.253 crypto map newmap 13 set transform-set myset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address remote_madrid_acl crypto map newmap 20 set peer 80.38.105.29 crypto map newmap 20 set transform-set myset crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 80.38.105.29 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.201.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.203.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.202.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.205.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication rsa-sig isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 vpngroup vpndecom address-pool vpndecom_pool vpngroup vpndecom dns-server 192.168.1.15 vpngroup vpndecom default-domain decom.es vpngroup vpndecom split-tunnel tst_vpndecom_split_tunnel_acl vpngroup vpndecom idle-time 1800 vpngroup vpndecom password ******** telnet timeout 5 ssh 10.200.0.0 255.255.0.0 outside ssh 192.168.1.0 255.255.255.0 inside ssh 192.168.20.0 255.255.255.0 intf2 ssh timeout 30 console timeout 0 dhcpd address 192.168.1.100-192.168.1.250 inside dhcpd dns 192.168.1.15 192.168.1.16 dhcpd lease 1048575 dhcpd ping_timeout 750 dhcpd domain valdisme.net dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:85a4d85fae585f6cc1d481ec8e15524b : end pixvalencia(config)#