cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
0
Helpful
3
Replies

Problem with VPN Client

otenet_cass
Level 1
Level 1

Hello everyone

Please give me some help with the following.

I'm trying to connect with a VPN Client which is behind a Checkpoint F/W to a CiscoPIX 515. Although the connection is established i cannot access the internal network behind the PIX. I configured NAT-T in PIX 515 and open the appropriate tcp/udp ports (500,4500,10000) in chekpoint but i get the following error in the log file of the VPN Client:

Cisco Systems VPN Client Version 5.0.00.0340

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

45 16:15:56.593 11/27/07 Sev=Warning/2 CVPND/0xA3400011

Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: 0xC0A8003B (DRVIFACE:1201).

46 16:15:59.312 11/27/07 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

47 16:15:59.312 11/27/07 Sev=Warning/2 CM/0xA3100025

Unable to delete route. Network: c0a800ff, Netmask: ffffffff, Interface: a000096, Gateway: c0a8003b.

48 16:15:59.312 11/27/07 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

49 16:15:59.312 11/27/07 Sev=Warning/2 CM/0xA3100025

Unable to delete route. Network: c0a80000, Netmask: ffffff00, Interface: a000096, Gateway: c0a8003b.

1 Accepted Solution

Accepted Solutions

husycisco
Level 7
Level 7

add the following in respective order

global (outside) 1 interface

object-group network Clients

network-object 172.16.2.1 255.255.255.255

network-object 172.16.2.2 255.255.255.255

network-object 172.16.2.3 255.255.255.255

network-object 172.16.2.4 255.255.255.255

network-object 172.16.2.5 255.255.255.255

network-object 172.16.2.6 255.255.255.255

network-object 172.16.2.7 255.255.255.255

network-object 172.16.2.8 255.255.255.255

network-object 172.16.2.9 255.255.255.255

network-object 172.16.2.10 255.255.255.255

network-object 172.16.2.11 255.255.255.255

network-object 172.16.2.12 255.255.255.255

network-object 172.16.2.13 255.255.255.255

network-object 172.16.2.14 255.255.255.255

network-object 172.16.2.15 255.255.255.255

network-object 172.16.2.16 255.255.255.255

network-object 172.16.2.17 255.255.255.255

network-object 172.16.2.18 255.255.255.255

network-object 172.16.2.19 255.255.255.255

network-object 172.16.2.20 255.255.255.255

network-object 172.16.2.21 255.255.255.255

q

access-list no_nat permit ip 10.0.0.0 255.255.255.0 object-group Clients

After that, client will be able to reach inside network, but they will lose their local connectivity. To avoid this, add the following

access-list split_T permit ip 10.0.0.0 255.255.255.0 object-group Clients

vpngroup nikas split-tunnel split_T

vpngroup nikas1 split-tunnel split_T

vpngroup nikas2 split-tunnel split_T

vpngroup nikas3 split-tunnel split_T

vpngroup nikas4 split-tunnel split_T

vpngroup nikas5 split-tunnel split_T

vpngroup nikas6 split-tunnel split_T

vpngroup nikas7 split-tunnel split_T

vpngroup nikas8 split-tunnel split_T

vpngroup nikas9 split-tunnel split_T

vpngroup nikas10 split-tunnel split_T

vpngroup nikas11 split-tunnel split_T

vpngroup nikas12 split-tunnel split_T

vpngroup nikas13 split-tunnel split_T

vpngroup nikas14 split-tunnel split_T

vpngroup nikas15 split-tunnel split_T

vpngroup nikas16 split-tunnel split_T

vpngroup nikas17 split-tunnel split_T

vpngroup nikas18 split-tunnel split_T

vpngroup nikas19 split-tunnel split_T

View solution in original post

3 Replies 3

husycisco
Level 7
Level 7

please post your PIX config, most probably it is a tunneling issue

Thank you for the reply. Please find attached the PIX config file.

husycisco
Level 7
Level 7

add the following in respective order

global (outside) 1 interface

object-group network Clients

network-object 172.16.2.1 255.255.255.255

network-object 172.16.2.2 255.255.255.255

network-object 172.16.2.3 255.255.255.255

network-object 172.16.2.4 255.255.255.255

network-object 172.16.2.5 255.255.255.255

network-object 172.16.2.6 255.255.255.255

network-object 172.16.2.7 255.255.255.255

network-object 172.16.2.8 255.255.255.255

network-object 172.16.2.9 255.255.255.255

network-object 172.16.2.10 255.255.255.255

network-object 172.16.2.11 255.255.255.255

network-object 172.16.2.12 255.255.255.255

network-object 172.16.2.13 255.255.255.255

network-object 172.16.2.14 255.255.255.255

network-object 172.16.2.15 255.255.255.255

network-object 172.16.2.16 255.255.255.255

network-object 172.16.2.17 255.255.255.255

network-object 172.16.2.18 255.255.255.255

network-object 172.16.2.19 255.255.255.255

network-object 172.16.2.20 255.255.255.255

network-object 172.16.2.21 255.255.255.255

q

access-list no_nat permit ip 10.0.0.0 255.255.255.0 object-group Clients

After that, client will be able to reach inside network, but they will lose their local connectivity. To avoid this, add the following

access-list split_T permit ip 10.0.0.0 255.255.255.0 object-group Clients

vpngroup nikas split-tunnel split_T

vpngroup nikas1 split-tunnel split_T

vpngroup nikas2 split-tunnel split_T

vpngroup nikas3 split-tunnel split_T

vpngroup nikas4 split-tunnel split_T

vpngroup nikas5 split-tunnel split_T

vpngroup nikas6 split-tunnel split_T

vpngroup nikas7 split-tunnel split_T

vpngroup nikas8 split-tunnel split_T

vpngroup nikas9 split-tunnel split_T

vpngroup nikas10 split-tunnel split_T

vpngroup nikas11 split-tunnel split_T

vpngroup nikas12 split-tunnel split_T

vpngroup nikas13 split-tunnel split_T

vpngroup nikas14 split-tunnel split_T

vpngroup nikas15 split-tunnel split_T

vpngroup nikas16 split-tunnel split_T

vpngroup nikas17 split-tunnel split_T

vpngroup nikas18 split-tunnel split_T

vpngroup nikas19 split-tunnel split_T

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: