Problem with VPN Client

Answered Question
Nov 28th, 2007

Hello everyone

Please give me some help with the following.

I'm trying to connect with a VPN Client which is behind a Checkpoint F/W to a CiscoPIX 515. Although the connection is established i cannot access the internal network behind the PIX. I configured NAT-T in PIX 515 and open the appropriate tcp/udp ports (500,4500,10000) in chekpoint but i get the following error in the log file of the VPN Client:

Cisco Systems VPN Client Version 5.0.00.0340

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

45 16:15:56.593 11/27/07 Sev=Warning/2 CVPND/0xA3400011

Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: 0xC0A8003B (DRVIFACE:1201).

46 16:15:59.312 11/27/07 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

47 16:15:59.312 11/27/07 Sev=Warning/2 CM/0xA3100025

Unable to delete route. Network: c0a800ff, Netmask: ffffffff, Interface: a000096, Gateway: c0a8003b.

48 16:15:59.312 11/27/07 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

49 16:15:59.312 11/27/07 Sev=Warning/2 CM/0xA3100025

Unable to delete route. Network: c0a80000, Netmask: ffffff00, Interface: a000096, Gateway: c0a8003b.

I have this problem too.
0 votes
Correct Answer by husycisco about 9 years 1 week ago

add the following in respective order

global (outside) 1 interface

object-group network Clients

network-object 172.16.2.1 255.255.255.255

network-object 172.16.2.2 255.255.255.255

network-object 172.16.2.3 255.255.255.255

network-object 172.16.2.4 255.255.255.255

network-object 172.16.2.5 255.255.255.255

network-object 172.16.2.6 255.255.255.255

network-object 172.16.2.7 255.255.255.255

network-object 172.16.2.8 255.255.255.255

network-object 172.16.2.9 255.255.255.255

network-object 172.16.2.10 255.255.255.255

network-object 172.16.2.11 255.255.255.255

network-object 172.16.2.12 255.255.255.255

network-object 172.16.2.13 255.255.255.255

network-object 172.16.2.14 255.255.255.255

network-object 172.16.2.15 255.255.255.255

network-object 172.16.2.16 255.255.255.255

network-object 172.16.2.17 255.255.255.255

network-object 172.16.2.18 255.255.255.255

network-object 172.16.2.19 255.255.255.255

network-object 172.16.2.20 255.255.255.255

network-object 172.16.2.21 255.255.255.255

q

access-list no_nat permit ip 10.0.0.0 255.255.255.0 object-group Clients

After that, client will be able to reach inside network, but they will lose their local connectivity. To avoid this, add the following

access-list split_T permit ip 10.0.0.0 255.255.255.0 object-group Clients

vpngroup nikas split-tunnel split_T

vpngroup nikas1 split-tunnel split_T

vpngroup nikas2 split-tunnel split_T

vpngroup nikas3 split-tunnel split_T

vpngroup nikas4 split-tunnel split_T

vpngroup nikas5 split-tunnel split_T

vpngroup nikas6 split-tunnel split_T

vpngroup nikas7 split-tunnel split_T

vpngroup nikas8 split-tunnel split_T

vpngroup nikas9 split-tunnel split_T

vpngroup nikas10 split-tunnel split_T

vpngroup nikas11 split-tunnel split_T

vpngroup nikas12 split-tunnel split_T

vpngroup nikas13 split-tunnel split_T

vpngroup nikas14 split-tunnel split_T

vpngroup nikas15 split-tunnel split_T

vpngroup nikas16 split-tunnel split_T

vpngroup nikas17 split-tunnel split_T

vpngroup nikas18 split-tunnel split_T

vpngroup nikas19 split-tunnel split_T

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
husycisco Wed, 11/28/2007 - 01:41

please post your PIX config, most probably it is a tunneling issue

Correct Answer
husycisco Wed, 11/28/2007 - 04:12

add the following in respective order

global (outside) 1 interface

object-group network Clients

network-object 172.16.2.1 255.255.255.255

network-object 172.16.2.2 255.255.255.255

network-object 172.16.2.3 255.255.255.255

network-object 172.16.2.4 255.255.255.255

network-object 172.16.2.5 255.255.255.255

network-object 172.16.2.6 255.255.255.255

network-object 172.16.2.7 255.255.255.255

network-object 172.16.2.8 255.255.255.255

network-object 172.16.2.9 255.255.255.255

network-object 172.16.2.10 255.255.255.255

network-object 172.16.2.11 255.255.255.255

network-object 172.16.2.12 255.255.255.255

network-object 172.16.2.13 255.255.255.255

network-object 172.16.2.14 255.255.255.255

network-object 172.16.2.15 255.255.255.255

network-object 172.16.2.16 255.255.255.255

network-object 172.16.2.17 255.255.255.255

network-object 172.16.2.18 255.255.255.255

network-object 172.16.2.19 255.255.255.255

network-object 172.16.2.20 255.255.255.255

network-object 172.16.2.21 255.255.255.255

q

access-list no_nat permit ip 10.0.0.0 255.255.255.0 object-group Clients

After that, client will be able to reach inside network, but they will lose their local connectivity. To avoid this, add the following

access-list split_T permit ip 10.0.0.0 255.255.255.0 object-group Clients

vpngroup nikas split-tunnel split_T

vpngroup nikas1 split-tunnel split_T

vpngroup nikas2 split-tunnel split_T

vpngroup nikas3 split-tunnel split_T

vpngroup nikas4 split-tunnel split_T

vpngroup nikas5 split-tunnel split_T

vpngroup nikas6 split-tunnel split_T

vpngroup nikas7 split-tunnel split_T

vpngroup nikas8 split-tunnel split_T

vpngroup nikas9 split-tunnel split_T

vpngroup nikas10 split-tunnel split_T

vpngroup nikas11 split-tunnel split_T

vpngroup nikas12 split-tunnel split_T

vpngroup nikas13 split-tunnel split_T

vpngroup nikas14 split-tunnel split_T

vpngroup nikas15 split-tunnel split_T

vpngroup nikas16 split-tunnel split_T

vpngroup nikas17 split-tunnel split_T

vpngroup nikas18 split-tunnel split_T

vpngroup nikas19 split-tunnel split_T

Actions

This Discussion