11-28-2007 01:30 AM - edited 03-11-2019 04:36 AM
Hello everyone
Please give me some help with the following.
I'm trying to connect with a VPN Client which is behind a Checkpoint F/W to a CiscoPIX 515. Although the connection is established i cannot access the internal network behind the PIX. I configured NAT-T in PIX 515 and open the appropriate tcp/udp ports (500,4500,10000) in chekpoint but i get the following error in the log file of the VPN Client:
Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
45 16:15:56.593 11/27/07 Sev=Warning/2 CVPND/0xA3400011
Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: 0xC0A8003B (DRVIFACE:1201).
46 16:15:59.312 11/27/07 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87
47 16:15:59.312 11/27/07 Sev=Warning/2 CM/0xA3100025
Unable to delete route. Network: c0a800ff, Netmask: ffffffff, Interface: a000096, Gateway: c0a8003b.
48 16:15:59.312 11/27/07 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87
49 16:15:59.312 11/27/07 Sev=Warning/2 CM/0xA3100025
Unable to delete route. Network: c0a80000, Netmask: ffffff00, Interface: a000096, Gateway: c0a8003b.
Solved! Go to Solution.
11-28-2007 04:12 AM
add the following in respective order
global (outside) 1 interface
object-group network Clients
network-object 172.16.2.1 255.255.255.255
network-object 172.16.2.2 255.255.255.255
network-object 172.16.2.3 255.255.255.255
network-object 172.16.2.4 255.255.255.255
network-object 172.16.2.5 255.255.255.255
network-object 172.16.2.6 255.255.255.255
network-object 172.16.2.7 255.255.255.255
network-object 172.16.2.8 255.255.255.255
network-object 172.16.2.9 255.255.255.255
network-object 172.16.2.10 255.255.255.255
network-object 172.16.2.11 255.255.255.255
network-object 172.16.2.12 255.255.255.255
network-object 172.16.2.13 255.255.255.255
network-object 172.16.2.14 255.255.255.255
network-object 172.16.2.15 255.255.255.255
network-object 172.16.2.16 255.255.255.255
network-object 172.16.2.17 255.255.255.255
network-object 172.16.2.18 255.255.255.255
network-object 172.16.2.19 255.255.255.255
network-object 172.16.2.20 255.255.255.255
network-object 172.16.2.21 255.255.255.255
q
access-list no_nat permit ip 10.0.0.0 255.255.255.0 object-group Clients
After that, client will be able to reach inside network, but they will lose their local connectivity. To avoid this, add the following
access-list split_T permit ip 10.0.0.0 255.255.255.0 object-group Clients
vpngroup nikas split-tunnel split_T
vpngroup nikas1 split-tunnel split_T
vpngroup nikas2 split-tunnel split_T
vpngroup nikas3 split-tunnel split_T
vpngroup nikas4 split-tunnel split_T
vpngroup nikas5 split-tunnel split_T
vpngroup nikas6 split-tunnel split_T
vpngroup nikas7 split-tunnel split_T
vpngroup nikas8 split-tunnel split_T
vpngroup nikas9 split-tunnel split_T
vpngroup nikas10 split-tunnel split_T
vpngroup nikas11 split-tunnel split_T
vpngroup nikas12 split-tunnel split_T
vpngroup nikas13 split-tunnel split_T
vpngroup nikas14 split-tunnel split_T
vpngroup nikas15 split-tunnel split_T
vpngroup nikas16 split-tunnel split_T
vpngroup nikas17 split-tunnel split_T
vpngroup nikas18 split-tunnel split_T
vpngroup nikas19 split-tunnel split_T
11-28-2007 01:41 AM
please post your PIX config, most probably it is a tunneling issue
11-28-2007 01:51 AM
11-28-2007 04:12 AM
add the following in respective order
global (outside) 1 interface
object-group network Clients
network-object 172.16.2.1 255.255.255.255
network-object 172.16.2.2 255.255.255.255
network-object 172.16.2.3 255.255.255.255
network-object 172.16.2.4 255.255.255.255
network-object 172.16.2.5 255.255.255.255
network-object 172.16.2.6 255.255.255.255
network-object 172.16.2.7 255.255.255.255
network-object 172.16.2.8 255.255.255.255
network-object 172.16.2.9 255.255.255.255
network-object 172.16.2.10 255.255.255.255
network-object 172.16.2.11 255.255.255.255
network-object 172.16.2.12 255.255.255.255
network-object 172.16.2.13 255.255.255.255
network-object 172.16.2.14 255.255.255.255
network-object 172.16.2.15 255.255.255.255
network-object 172.16.2.16 255.255.255.255
network-object 172.16.2.17 255.255.255.255
network-object 172.16.2.18 255.255.255.255
network-object 172.16.2.19 255.255.255.255
network-object 172.16.2.20 255.255.255.255
network-object 172.16.2.21 255.255.255.255
q
access-list no_nat permit ip 10.0.0.0 255.255.255.0 object-group Clients
After that, client will be able to reach inside network, but they will lose their local connectivity. To avoid this, add the following
access-list split_T permit ip 10.0.0.0 255.255.255.0 object-group Clients
vpngroup nikas split-tunnel split_T
vpngroup nikas1 split-tunnel split_T
vpngroup nikas2 split-tunnel split_T
vpngroup nikas3 split-tunnel split_T
vpngroup nikas4 split-tunnel split_T
vpngroup nikas5 split-tunnel split_T
vpngroup nikas6 split-tunnel split_T
vpngroup nikas7 split-tunnel split_T
vpngroup nikas8 split-tunnel split_T
vpngroup nikas9 split-tunnel split_T
vpngroup nikas10 split-tunnel split_T
vpngroup nikas11 split-tunnel split_T
vpngroup nikas12 split-tunnel split_T
vpngroup nikas13 split-tunnel split_T
vpngroup nikas14 split-tunnel split_T
vpngroup nikas15 split-tunnel split_T
vpngroup nikas16 split-tunnel split_T
vpngroup nikas17 split-tunnel split_T
vpngroup nikas18 split-tunnel split_T
vpngroup nikas19 split-tunnel split_T
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: