netmeeting not working between cisco vpn clients

Answered Question
Dec 29th, 2009

Hi,

I had posted the same query a weeks ago but didnt get any reply.just adding more details and hoping som1 can help me.

Here is the real problem:

We have a client whose users uses cisco vpn clients to connect the Corporate LAN from public network and able to access as expected and also able to run netmeeting from his pc but when users trying to run netmeeting between two vpn clients connected from public network having same pool ip, it doesn't work.

Thanks & regards

madhu.

I have this problem too.
0 votes
Correct Answer by acomiskey about 7 years 2 weeks ago

Try removing "nat (outside) 1 192.168.1.0 255.255.255.0" and try again.

Or try adding something like this...

access-list outside_nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Tue, 12/29/2009 - 05:15

What device? ASA?

You will need the command "same-security-traffic permit intra-interface".

madhusudhan s Tue, 12/29/2009 - 05:34

The command is already added. yes it is ASA.

i am also not able to ping ip between these clients.

just pasted below the respective configuration:

tunnel-group abc type remote-access
tunnel-group abc general-attributes
address-pool cyp-pool
authentication-server-group cyp-radius
default-group-policy abc

tunnel-group abc ipsec-attributes
pre-shared-key *

crypto dynamic-map cisco 20 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 20 set security-association lifetime seconds 28800
crypto dynamic-map cisco 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 20 set reverse-route

crypto map outside_map0 65535 ipsec-isakmp dynamic cisco

crypto map outside_map0 interface outside

aaa-server cyp-radius protocol radius
aaa-server cyp-radius (inside) host xxxxxxx
timeout 5
key xxxxx
authentication-port 1812
accounting-port 1813
radius-common-pw xxxxx

ip local pool cyp-pool 192.168.1.2-192.168.1.240 mask 255.255.255.0

group-policy abc internal
group-policy abc attributes

dns-server value xxxxxx
vpn-simultaneous-logins 5

vpn-group-policy abc

username xxxx password xxxxx
username xxxx attributes
vpn-group-policy abc

username xxxx password xxxxx encrypted
username xxxxx attributes

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list outside_access_in remark ASA outside
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any

access-group outside_access_in in interface outside

global (outside) 1 xxxxxx netmask 255.0.0.0
nat (outside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0


class-map CSM_CLASS_MAP_1
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map CSM_POLICY_MAP_global_1
class CSM_CLASS_MAP_1
  inspect dns preset_dns_map
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect h323 h225
<--- More --->
             
  inspect h323 ras
  inspect ipsec-pass-thru
  inspect ftp
!
service-policy CSM_POLICY_MAP_global_1 global

acomiskey Tue, 12/29/2009 - 05:48

Check the stateful firewall in the vpn client. Uncheck Options -> Stateful Firewall (Always On)

madhusudhan s Tue, 12/29/2009 - 20:16

Dear Acomiskey

It is already unchecked.... do you find any problem in config such as nat or access-list or inspect.. etc... are they configured correctly?

I had setup a lab with help of a L3 and ASA and used following configuration on ASA and i am able to run netmeeting . but not working with the client configuration which is mentioned in above thread.

In below LAB configuration netmeeting is working:


ciscoasa# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
duplex full
nameif outside
security-level 0
ip address 172.16.172.164 255.255.255.0
!
interface GigabitEthernet0/1
duplex full
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit intra-interface
object-group icmp-type permit_icmp
icmp-object echo
icmp-object echo-reply
access-list inside_rule extended permit icmp any any object-group permit_icmp
access-list outside_rule extended permit icmp any any object-group permit_icmp
access-list outside_rule extended permit ip 192.168.0.0 255.255.255.0 any
no pager
logging console debugging
mtu outside 1500
mtu inside 1500
ip local pool mypool 192.168.0.1-192.168.0.100
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_rule in interface outside
access-group inside_rule in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.172.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map mydyn 1 set transform-set myset
crypto dynamic-map mydyn 1 set security-association lifetime seconds 28800
crypto dynamic-map mydyn 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map mydyn 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic mydyn
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.10.10.10 255.255.255.255 inside
telnet timeout 5
ssh 10.10.10.10 255.255.255.255 inside
ssh timeout 20
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy mypolicy internal
group-policy mypolicy attributes
dns-server value 172.16.172.164
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group mygroup type remote-access
tunnel-group mygroup general-attributes
address-pool mypool
default-group-policy mypolicy
tunnel-group mygroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global

Regards

Madhu.

Correct Answer
acomiskey Wed, 12/30/2009 - 05:23

Try removing "nat (outside) 1 192.168.1.0 255.255.255.0" and try again.

Or try adding something like this...

access-list outside_nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

Actions

This Discussion