I recently inherited a Cisco Pix 515e. We were asked to setup a VPN network (VPN client to VPN router). We ran the VPN wizard through the PDM. Although we can connect to the router, we are unable to ping or connect to any of the internal devices. We've tried several different configurations, but nothing has worked.  I'm hoping someone here can assist.  Here's our configuration:

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security75
enable password lk5vg.q15BP/KLvf encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname xxxxxx
domain-name xxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 10021-10024
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol smtp 587
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.x.10 xxxxxxxxerit
name 65.167.x.2 xxxxxX01
name 10.251.x.1 xxxxxxver
name 161.xxx.x.122 xxxxxxxx
name 161.xxx.1.120 xxxxxxxall
name 170.xxx.xx.149 xxxxx_com
name 170.xxx.xx.80 xxxxx_com
name 170.xxx.xx.251 xxxxxx_com
name 170.xxx.xx.79 xxxxxxcom
name 67.78.xx.1xx xxx
name 65.xxx.7.xxx xxxxxxxxx
name 192.168.0.0 VPN
name 10.251.0.0 VPNusers
object-group service HTTP_HTTPS tcp
  port-object eq www
  port-object eq https
object-group service CPANEL tcp
  description cpane required ports http/https (cpanel/webmail)
  port-object range 2083 2083
  port-object range 2082 2082
  port-object range 2086 2086
  port-object range 2093 2093
  port-object range 2092 2092
  port-object range 2096 2096
  port-object range 2095 2095
object-group service xxxxxxxx tcp
  description xxxxxxxxx FTP FILE TRANSFER PORTS
  port-object range 10021 10025
object-group network FTPT_xxx_xxx
  network-object FTPT_xxxx_com 255.255.255.255
  network-object FTPST_xxxx_com 255.255.255.255
  network-object FTPB_xxxx_com 255.255.255.255
  network-object FTPB2_xxxxx_com 255.255.255.255
object-group service FTP_xxxx_TCP tcp
  port-object eq 20021
  port-object range 21000 21400
object-group service IMAP tcp
  description IMAP email inbound
  port-object range 993 993
object-group service VPN udp
  port-object range www 25000
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any object-group HTTP_HTTPS
access-list inside_access_in remark Allow temp RDP TO xxxxxxx IP / remove
access-list inside_access_in permit tcp VPNusers 255.255.0.0 host xxxxxxx eq 3389
access-list inside_access_in remark Allow temp RDP TO xxxxxxx IP / remove
access-list inside_access_in remark Allow temp RDP TO xxxxxx IP / remove
access-list inside_access_in deny ip VPNusers 255.255.0.0 192.168.251.0 255.255.255.0
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq pop3
access-list inside_access_in permit tcp any any object-group IMAP
access-list inside_access_in remark xxxxxxx ftp file transfer
access-list inside_access_in permit tcp VPNusers 255.255.0.0 xxxxxxx 255.255.255.252
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq smtp
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq citrix-ica
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq 1863
access-list inside_access_in permit udp VPNusers 255.255.0.0 any eq domain
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq ftp
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any object-group CPANEL
access-list inside_access_in remark aol/aim
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq aol
access-list inside_access_in remark mstsc
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq 3389
access-list inside_access_in permit tcp VPNusers 255.255.0.0 object-group FTP_xxxxxx object-group FTP_xxxxxxxx_TCP
access-list inside_access_in remark xxxxxxx VPN Client
access-list inside_access_in permit udp any eq isakmp host xxxxxxx eq isakmp
access-list inside_access_in remark xxxxxxxx VPN Client
access-list inside_access_in permit tcp any host xxxxxxxxx
access-list inside_access_in remark xxxxxxxxx VPN Client
access-list inside_access_in permit udp any host xxxxxxx
access-list inside_access_in deny ip any any
access-list DMZ1_access_in remark Allow xxxxxx to have xxxxxx (xxxxrit) access
access-list DMZ1_access_in remark Allow xxxxxx to have web access
access-list DMZ1_access_in permit tcp host xxxxxxxxxx object-group HTTP_HTTPS host 10.251.10.250
access-list DMZ1_access_in permit tcp host xxxxxxxx host xxxxxxxxxxx eq 1433
access-list DMZ1_access_in deny ip any any
access-list outside_access_in remark
access-list outside_access_in permit tcp any interface outside object-group HTTP_HTTPS
access-list outside_access_in permit tcp host xxxxxxx interface outside eq 3389
access-list outside_access_in permit tcp host xxxx interface outside eq 3389
access-list outside_access_in deny ip any any
access-list inside_outbound_nat0_acl permit ip interface inside 10.251.1.70 255.255.255.254
access-list inside_outbound_nat0_acl permit ip any 10.251.10.96 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.251.10.96 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
ip address outside 67.xx.xx.171 255.255.255.248
ip address inside 10.251.10.250 255.255.0.0
ip address DMZ1 192.168.xxx.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNusers 10.251.10.100-10.251.10.120
pdm location xxxxxxxxx 255.255.255.255 inside
pdm location xxxxxxxxx 255.255.255.255 DMZ1
pdm location xxxxxxxx 255.255.255.255 outside
pdm location xxxxxxx 255.255.255.255 outside
pdm location xxxxxx 255.255.255.252 outside
pdm location FTPT_xxxxx_com 255.255.255.255 outside
pdm location FTPST_xxxxx_com 255.255.255.255 outside
pdm location FTPB_xxxxxx_com 255.255.255.255 outside
pdm location FTPB2_xxxxxxx_com 255.255.255.255 outside
pdm location xxx 255.255.255.255 outside
pdm location xxxxxxxx 255.255.255.255 outside
pdm location 10.251.1.64 255.255.255.240 outside
pdm location 10.251.1.70 255.255.255.254 outside
pdm location VPN 255.255.0.0 DMZ1
pdm location 10.251.10.120 255.255.255.254 outside
pdm location VPN 255.255.255.255 outside
pdm location VPNusers 255.255.255.255 outside
pdm group FTP_xxxxxxxxxx outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 10 0.0.0.0 0.0.0.0 0 0
static (DMZ1,outside) tcp interface https xxxxxxxxx https netmask 255.255.255.255 0 0
static (DMZ1,outside) tcp interface www xxxxxxxxx www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 xxxxxxxxxx 3389 netmask 255.255.255.255 0 0
static (inside,DMZ1) VPNusers VPNusers netmask 255.255.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ1_access_in in interface DMZ1
route outside 0.0.0.0 0.0.0.0 67.78.xx.169 1
route outside VPNusers 255.255.255.255 67.78.xx.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http xxxxxxxxxxx 255.255.255.255 inside
http VPNusers 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup NMAC address-pool VPNusers
vpngroup NMAC dns-server xxxxxxxxxxx
vpngroup NMAC idle-time 1800
vpngroup NMAC password ********
telnet xxxxxxxx 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh VPNusers 255.255.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.xxx.11-192.168.xxx.11 DMZ1
dhcpd dns 65.32.1.70 65.32.1.80
dhcpd lease 3600
dhcpd ping_timeout 750
username xxxxxxxx password lk5vg.q15BP/KLvf encrypted privilege 15
username xxxxx password 6vQDUUFk/6pDzVpt encrypted privilege 15
terminal width 80
Cryptochecksum:34e2a566da34fea23e0fd2e2fd690cbc
: end
[OK]
 

The first thing I would do is get the VPN pool out of the 10.251.x.x address range; put it in something like 10.252.1.x or something similar. Then, alter your inside_outbound_nat0_acl access list to be
you don't need this line:

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

I'll try that ... the other thing is that happened is all the access-list entries now have VPNusers, is there an easy way to remove that from each of those entries?

Like unclerico said but you need to go bigger on the subnet for the VPN. Your internal network scheme with the /16 mask covers 10.251.0.0 to 10.251.255.255. The vpn pool and the internal network scheme should not overlap. You will need a vpn pool with the second octet that is not 251 - so 10.252.0.0 255.255.0.0 or 10.10.0.0...

For the VPNusers - Just remove this line
name 10.251.0.0 VPNusers

It acts as a search and replace in the config.

Brent
Systems Engineer / Consultant
CCNP, CCSP

Thank you both for your assistance.  I'm not comfortable making these changes in the CLI, can you tell me how to make these changes through the PDM?

 

I'm getting a permissions issue when I try to issue the access-list insde_outbound_nat0_acl extended permit ip 10.251.0.0 255.255.0.0 10.252.1.100-10.252.1.120 255.255.255.0 command from the CLI.  What am I doing wrong?

is that the exact syntax that you've used?? if so, it needs to be something like this:

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

I did, but then I entered it the way you have it listed and I can connect through tunnel, but can't ping or connect to anyting on the 10.251.0.0 network.  When I do an ipconfig I see I'm getting 10.252.1.100 address, but the mask is 255.0.0.0 and the Default Gatewsy is 10.0.0.1.

can you post your new config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security75
enable password lk5vg.q15BP/KLvf encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname xxxxxxx
domain-name xxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 10021-10024
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol smtp 587
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.xx.10 xxxxxx
name 65.xx.98.2 xxxxxxx
name 10.251.0.1 xxxxxxx
name 161.xx.1.122 xxxxxxx
name 161.xx.1.120 xxxxxxx
name 170.xxx.128.149 FTPT_xxxxx_com
name 170.xx.72.80 FTPST_xxxxxx_com
name 170.xx.216.251 FTPB_xxxxxx_com
name 170.xx.72.79 FTPB2_xxxxxxx_com
name 67.xx.xx.178 xxx
name 65.xx.7.227 xxxxxxx
name 192.168.0.0 VPN
name 10.251.0.0 VPNusers
object-group service HTTP_HTTPS tcp
  port-object eq www
  port-object eq https
object-group service CPANEL tcp
  description cpane required ports http/https (cpanel/webmail)
  port-object range 2083 2083
  port-object range 2082 2082
  port-object range 2086 2086
  port-object range 2093 2093
  port-object range 2092 2092
  port-object range 2096 2096
  port-object range 2095 2095
object-group service xxxxxx tcp
  description xxxx FTP FILE TRANSFER PORTS
  port-object range 10021 10025
object-group network FTP_xxxx
  network-object FTPT_xxxx_com 255.255.255.255
  network-object FTPST_xxxx_com 255.255.255.255
  network-object FTPB_xxxxx_com 255.255.255.255
  network-object FTPB2_xxxxx_com 255.255.255.255
object-group service FTP_xxxx_TCP tcp
  port-object eq 20021
  port-object range 21000 21400
object-group service IMAP tcp
  description IMAP email inbound
  port-object range 993 993
object-group service VPN udp
  port-object range www 25000
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any object-group HTTP_HTTPS
access-list inside_access_in remark Allow temp RDP TO xxx IP / remove
access-list inside_access_in permit tcp VPNusers 255.255.0.0 host xxxxxx eq 3389
access-list inside_access_in remark Allow temp RDP TO xxxxx IP / remove
access-list inside_access_in remark Allow temp RDP TO xxxxx IP / remove
access-list inside_access_in deny ip VPNusers 255.255.0.0 192.xxx.251.0 255.255.255.0
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq pop3
access-list inside_access_in permit tcp any any object-group IMAP
access-list inside_access_in remark xxxxxx ftp file transfer
access-list inside_access_in permit tcp VPNusers 255.255.0.0 xxxxx 255.255.255.252
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq smtp
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq citrix-ica
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq 1863
access-list inside_access_in permit udp VPNusers 255.255.0.0 any eq domain
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq ftp
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any object-group CPANEL
access-list inside_access_in remark aol/aim
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq aol
access-list inside_access_in remark mstsc
access-list inside_access_in permit tcp VPNusers 255.255.0.0 any eq 3389
access-list inside_access_in permit tcp VPNusers 255.255.0.0 object-group FTP_xxxx object-group FTP_xxxx_TCP
access-list inside_access_in remark xxxx xxxx VPN Client
access-list inside_access_in permit udp any eq isakmp host xxxxxx eq isakmp
access-list inside_access_in remark xxxx xxxxx VPN Client
access-list inside_access_in permit tcp any host xxxxx
access-list inside_access_in remark xxxxxx xxxxx VPN Client
access-list inside_access_in permit udp any host xxxxx
access-list inside_access_in deny ip any any
access-list DMZ1_access_in remark Allow xxxx to have xxxx (xxxxx) access
access-list DMZ1_access_in remark Allow xxxxx to have web access
access-list DMZ1_access_in permit tcp host xxxxxx object-group HTTP_HTTPS host 10.251.10.250
access-list DMZ1_access_in permit tcp host xxxxxx host xxxxxxx eq 1433
access-list DMZ1_access_in deny ip any any
access-list outside_access_in remark
access-list outside_access_in permit tcp any interface outside object-group HTTP_HTTPS
access-list outside_access_in permit tcp host xxxx interface outside eq 3389
access-list outside_access_in permit tcp host xxxx interface outside eq 3389
access-list outside_access_in deny ip any any
access-list inside_outbound_nat0_acl permit ip interface inside 10.251.1.70 255.255.255.254
access-list inside_outbound_nat0_acl permit ip any 10.252.1.96 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.252.1.96 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
ip address outside 67.78.24.171 255.255.255.248
ip address inside 10.251.10.250 255.255.0.0
ip address DMZ1 192.168.251.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNusers 10.252.1.100-10.252.1.120
pdm location xxxxxxx 255.255.255.255 inside
pdm location xxxxxxx 255.255.255.255 DMZ1
pdm location xxxxxxx 255.255.255.255 outside
pdm location xxxxxxx 255.255.255.255 outside
pdm location xxxxxxx 255.255.255.252 outside
pdm location FTPT_xxxxx_com 255.255.255.255 outside
pdm location FTPST_xxxxx_com 255.255.255.255 outside
pdm location FTPB_xxxxx_com 255.255.255.255 outside
pdm location FTPB2_xxxxx_com 255.255.255.255 outside
pdm location xxxx 255.255.255.255 outside
pdm location xxxxxx 255.255.255.255 outside
pdm location 10.251.1.64 255.255.255.240 outside
pdm location 10.251.1.70 255.255.255.254 outside
pdm location VPN 255.255.0.0 DMZ1
pdm location 10.251.10.120 255.255.255.254 outside
pdm location VPN 255.255.255.255 outside
pdm location VPNusers 255.255.255.255 outside
pdm location 10.251.10.96 255.255.255.224 outside
pdm location 10.252.10.96 255.255.255.224 outside
pdm group FTP_xxxxxxx outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 10 0.0.0.0 0.0.0.0 0 0
static (DMZ1,outside) tcp interface https xxxxxxx https netmask 255.255.255.255 0 0
static (DMZ1,outside) tcp interface www xxxxxx www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 xxxxxxx 3389 netmask 255.255.255.255 0 0
static (inside,DMZ1) VPNusers VPNusers netmask 255.255.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ1_access_in in interface DMZ1
route outside 0.0.0.0 0.0.0.0 67.xx.24.169 1
route outside VPNusers 255.255.255.255 67.78.24.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http xxxxxxx 255.255.255.255 inside
http VPNusers 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup NMAC address-pool VPNusers
vpngroup NMAC dns-server 10.251.10.250
vpngroup NMAC idle-time 1800
vpngroup NMAC password ********
telnet ProMeritServer 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh VPNusers 255.255.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.251.11-192.168.251.11 DMZ1
dhcpd dns 65.32.1.70 65.32.1.80
dhcpd lease 3600
dhcpd ping_timeout 750
username PixAdmin password lk5vg.q15BP/KLvf encrypted privilege 15
username xxxxxxx password 6vQDUUFk/6pDzVpt encrypted privilege 15
terminal width 80
Cryptochecksum:35063cc5945bf86da20e7a68be36cdc0
: end

 

Change your config to this -
access-list inside_outbound_nat0_acl permit ip 10.251.10.250 255.255.0.0 10.252.0.0 255.255.0.0

crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynamic_client_map 10 set transform-set 3DES
crypto map outside_map 100 ipsec-isakmp dynamic dynamic_client_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside

isakmp nat-traversal 20
isakmp identity address

 

Brent
Systems Engineer / Consultant
CCNP, CCSP

Hi Brent,

Will entering the above remove any of the entries I currently have in my config?  I'm new to this, but I need to get this resolved as quickly as possible.  

 

Also, when I originally setup the VPN and picked 3DES it said that I didn't have a license, so I used DES.

I also forgot to mention that I used md5 vs sha

1) You need to change your VPN Pool a little bit. It should be like this:
that way you should be given the appropriate ip/mask combination
2) Your inside_access_in ACL doesn't allow ICMP traffic to pass from the inside to the outside so if you want your inside hosts to reply to the ICMP echo's being sent from your VPN hosts then you'll need to add an ACE permitting this.
3) Go to Cisco's site and request the free license for the 3DES/AES encryption pack. You'll need to have a valid CCO login.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

Where did this ip address 10.252.1.96 come from anyway.  My VPN pool is 10.252.1.100 - 120?

You are a genius ... that corrected my problem and I can now connect to the internal network.  Thank you very much
 

One last thing ... when I created the VPN through the wizard I put in one username for access and I need to add 6 or 7 more.  Can this be done through the CLI?  I've tried using the following

username username password password encrypted privilege 15, but it keeps telling me that the password length is incorrect.  I'm using 8 characters.  I set the other user up with only 6 and tried using a password with 6 characters and got the same error.

Please disregard my last post