VPN works for everyone except a few people with 192.168.0.1 at their homes

Unanswered Question
Jan 16th, 2008

We have 100 users. We have a pcf file called "T1_radius_split" and the Cisco VPN client. Almost everyone can get in to the VPN fine, except for two people.

When the successful people get in, they can ping our internal 192.168.1.24 server, no problems. They can also surf the web thru their local ISP.

The two people that cannot get in are Betty and myself.

We both have 192.168.0.1 at our homes. She has a comcast router, and we even put her in DMZ. She can authenticate in the cisco client, and it says connected, but cannot ping the internal 192.168.1.24 server.

I have Win2003 ICS, and 10 PC's at home! I'm also on 192.168.0.x at home.

I have installed the Cisco client and pcf file on 9 PC's and every one has the exact same problem as Betty.

We use Cisco ASDM 5.2 for ASA, and it works great. We love the GUI.

All PC's in this scenario are pure Microsoft. XP Pro, in most cases.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gabrielny Wed, 01/16/2008 - 10:45

should I enable NAT traversal on the ASA box? or

should I enable this on Betty's router?

If the answer is the ASA box, why would the other 98 people in the company have no problems connecting?

acomiskey Wed, 01/16/2008 - 11:07

Nat-t would be enabled on the ASA if it is not already. I was just taking a stab with the limited information I had. Usually, when users can connect but cannot access anything, this is almost always nat-t. As far as the other 98 users, I'm not sure, maybe they're not behind a nat device?

rkiste Wed, 01/16/2008 - 17:00

I haven't played in the ASAs yet. The client side router is just the Comcast device? Does the client side have a second internet router such a linksys, netgear, d-link? Linksys devices have a common IPSEC pass-through option. I would be concern about making changes at the host end since 98 connections are functioning just fine for you. When you moved the pc to the DMZ port what port forwarding options did you enable? Have you attempted to change your transport on the Client to UDP(This would require enabling UDP configurations on the ASA)? Also, it is important to provide the CIDR info on the IPs. What IP are you assigning the Client when it connects? I manage over 1000 sites and 1200 clients to a load-balanced VPN 3030 concentrator and swear I have seen everything. Most of the time the issues are on the client. If you can answer my questions then I might be able ask more question or even point to something of interest.

gabrielny Thu, 01/17/2008 - 05:52

When I moved Betty's PC to her DMZ I didnt enable any ports, as this gave her PC her real Comcast IP, instead of a 192.168.0.x IP. ALL ports would be passing thru. And no, I havent enabled UDP on the ASA. I'm going now to look up CIDR and see what that is. I'll also try and figure out what IP I am assigning to the Client when it connects.

thanks

rkiste Thu, 01/17/2008 - 09:51

CIDR is the bit notation of a subnet mask(ie. 255.255.255.0 class C is equal to the bit 24). What private addresses are the other 98 users on? If the client is getting a public address in the DMZ then I am not sure that it would be an IP (TCP/UDP)issue. My involvement with ASAs is a 5505 at my desktop blocking me from my network. I beleive the other individual was right. Make sure NAT-T is enabled and open the firewall to allow IPSEC over TCP. It still doesn't explain why 98 other people are connecting.

craig.eyre Mon, 01/21/2008 - 09:57

Hi,

I've seen the same issues you have been talking about and it was related to the end users ISP. I mean that the ports that the information is coming back to the client are blocked on there end. Not on the users local desktop router but by the ISP as a whole. Do any of the other 100 vpn users have comcast as an ISP? Do you use Comcast?

Craig

rkiste Wed, 01/16/2008 - 17:00

I haven't played in the ASAs yet. The client side router is just the Comcast device? Does the client side have a second internet router such a linksys, netgear, d-link? Linksys devices have a common IPSEC pass-through option. I would be concern about making changes at the host end since 98 connections are functioning just fine for you. When you moved the pc to the DMZ port what port forwarding options did you enable? Have you attempted to change your transport on the Client to UDP(This would require enabling UDP configurations on the ASA)? Also, it is important to provide the CIDR info on the IPs. What IP are you assigning the Client when it connects? I manage over 1000 sites and 1200 clients to a load-balanced VPN 3030 concentrator and swear I have seen everything. Most of the time the issues are on the client. If you can answer my questions then I might be able ask more question or even point to something of interest.

Actions

This Discussion