Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

PIX Firewall not passing traffic

Regular Advisor

PIX Firewall not passing traffic

Clients (Cisco VPN software) are able to establish a connection to the PIX (501 Version 6.3), but no traffic is passing from the client to the LAN behind the PIX or vise versa.

Parts of the running-config are listed below:

access-list inside_outbound_nat0_acl permit ip
access-list outside_cryptomap_dyn_20 permit ip any

ip local pool RemoteWorkers

global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp identity address
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup TBCRemote address-pool RemoteWorkers
vpngroup TBCRemote dns-server
vpngroup TBCRemote wins-server
vpngroup TBCRemote default-domain corp.theboutetcompany.com
vpngroup TBCRemote idle-time 1800
vpngroup TBCRemote password ***********

Using the debug packet command, I can see encrypted packets are getting from the client to the PIX.

The Cisco client VPN software has a section for route details it recieves from the PIX, but it does not seem to receive any routing information.

The LAN behind the PIX is while the VPN clients get IP’s on the network.

The problem seems to be routing traffic from one network to the other…

Any suggestions,

Jay Mia
Occasional Visitor

Re: PIX Firewall not passing traffic


You need to take out the following from your pix config:

> isakmp enable inside

Let me know if this helps.

Jay Mia
Network Security Engineer.
Regular Advisor

Re: PIX Firewall not passing traffic


I will go ahead and try your solution out this morning. I'll let you know if it solves my problem.

Regular Advisor

Re: PIX Firewall not passing traffic


I took the line out, but it is still displaying the same symptoms.

Show route displays the following

outside 1 DHCP static

outside 1 CONNECT static

inside 1 CONNECT static

I have added no routing information to the running config, is that the problem?

The Cisco VPN client software shows it is sending out itâ s keep alive packets, but the client is not receiving anything.

Chip Barnett
Occasional Contributor

Re: PIX Firewall not passing traffic

Doug, what is the default gateway for the LAN behind the PIX? If it is not the PIX and there is a router or switch acting as the gateway there will need to be a route added for the VPN network ( pointing to the PIX inside address.
Regular Advisor

Re: PIX Firewall not passing traffic


The default gateway is

Regular Advisor

Re: PIX Firewall not passing traffic



The RemoteWorkers ip pool has been modified to look like:

ip local pool RemoteWorkers mask

All clients behind the PIX use a default gateway of (the PIX inside address). The VPN client gets its own ip as the default gateway? This seems incorrect, but how do you change it?

Example from VPN client after a VPN connection established:

IP Address. . . . . . . . . . . . :

Subnet Mask . . . . . . . . . . . :

Default Gateway . . . . . . . . . :

When viewing the Statistics (Tunnel Details tab):


Received: 0

Sent: Always growing


Encrypted: Always growing

Decrypted: 0

Discarded: Always growing

Bypassed: 0


Transparent Tunneling: Inactive

I hope this helps clarify what is going on.