Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with VPN Client

Hello everyone

Please give me some help with the following.

I'm trying to connect with a VPN Client which is behind a Checkpoint F/W to a CiscoPIX 515. Although the connection is established i cannot access the internal network behind the PIX. I configured NAT-T in PIX 515 and open the appropriate tcp/udp ports (500,4500,10000) in chekpoint but i get the following error in the log file of the VPN Client:

Cisco Systems VPN Client Version 5.0.00.0340

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

45 16:15:56.593 11/27/07 Sev=Warning/2 CVPND/0xA3400011

Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: 0xC0A8003B (DRVIFACE:1201).

46 16:15:59.312 11/27/07 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

47 16:15:59.312 11/27/07 Sev=Warning/2 CM/0xA3100025

Unable to delete route. Network: c0a800ff, Netmask: ffffffff, Interface: a000096, Gateway: c0a8003b.

48 16:15:59.312 11/27/07 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

49 16:15:59.312 11/27/07 Sev=Warning/2 CM/0xA3100025

Unable to delete route. Network: c0a80000, Netmask: ffffff00, Interface: a000096, Gateway: c0a8003b.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Problem with VPN Client

add the following in respective order

global (outside) 1 interface

object-group network Clients

network-object 172.16.2.1 255.255.255.255

network-object 172.16.2.2 255.255.255.255

network-object 172.16.2.3 255.255.255.255

network-object 172.16.2.4 255.255.255.255

network-object 172.16.2.5 255.255.255.255

network-object 172.16.2.6 255.255.255.255

network-object 172.16.2.7 255.255.255.255

network-object 172.16.2.8 255.255.255.255

network-object 172.16.2.9 255.255.255.255

network-object 172.16.2.10 255.255.255.255

network-object 172.16.2.11 255.255.255.255

network-object 172.16.2.12 255.255.255.255

network-object 172.16.2.13 255.255.255.255

network-object 172.16.2.14 255.255.255.255

network-object 172.16.2.15 255.255.255.255

network-object 172.16.2.16 255.255.255.255

network-object 172.16.2.17 255.255.255.255

network-object 172.16.2.18 255.255.255.255

network-object 172.16.2.19 255.255.255.255

network-object 172.16.2.20 255.255.255.255

network-object 172.16.2.21 255.255.255.255

q

access-list no_nat permit ip 10.0.0.0 255.255.255.0 object-group Clients

After that, client will be able to reach inside network, but they will lose their local connectivity. To avoid this, add the following

access-list split_T permit ip 10.0.0.0 255.255.255.0 object-group Clients

vpngroup nikas split-tunnel split_T

vpngroup nikas1 split-tunnel split_T

vpngroup nikas2 split-tunnel split_T

vpngroup nikas3 split-tunnel split_T

vpngroup nikas4 split-tunnel split_T

vpngroup nikas5 split-tunnel split_T

vpngroup nikas6 split-tunnel split_T

vpngroup nikas7 split-tunnel split_T

vpngroup nikas8 split-tunnel split_T

vpngroup nikas9 split-tunnel split_T

vpngroup nikas10 split-tunnel split_T

vpngroup nikas11 split-tunnel split_T

vpngroup nikas12 split-tunnel split_T

vpngroup nikas13 split-tunnel split_T

vpngroup nikas14 split-tunnel split_T

vpngroup nikas15 split-tunnel split_T

vpngroup nikas16 split-tunnel split_T

vpngroup nikas17 split-tunnel split_T

vpngroup nikas18 split-tunnel split_T

vpngroup nikas19 split-tunnel split_T

3 REPLIES

Re: Problem with VPN Client

please post your PIX config, most probably it is a tunneling issue

New Member

Re: Problem with VPN Client

Thank you for the reply. Please find attached the PIX config file.

Re: Problem with VPN Client

add the following in respective order

global (outside) 1 interface

object-group network Clients

network-object 172.16.2.1 255.255.255.255

network-object 172.16.2.2 255.255.255.255

network-object 172.16.2.3 255.255.255.255

network-object 172.16.2.4 255.255.255.255

network-object 172.16.2.5 255.255.255.255

network-object 172.16.2.6 255.255.255.255

network-object 172.16.2.7 255.255.255.255

network-object 172.16.2.8 255.255.255.255

network-object 172.16.2.9 255.255.255.255

network-object 172.16.2.10 255.255.255.255

network-object 172.16.2.11 255.255.255.255

network-object 172.16.2.12 255.255.255.255

network-object 172.16.2.13 255.255.255.255

network-object 172.16.2.14 255.255.255.255

network-object 172.16.2.15 255.255.255.255

network-object 172.16.2.16 255.255.255.255

network-object 172.16.2.17 255.255.255.255

network-object 172.16.2.18 255.255.255.255

network-object 172.16.2.19 255.255.255.255

network-object 172.16.2.20 255.255.255.255

network-object 172.16.2.21 255.255.255.255

q

access-list no_nat permit ip 10.0.0.0 255.255.255.0 object-group Clients

After that, client will be able to reach inside network, but they will lose their local connectivity. To avoid this, add the following

access-list split_T permit ip 10.0.0.0 255.255.255.0 object-group Clients

vpngroup nikas split-tunnel split_T

vpngroup nikas1 split-tunnel split_T

vpngroup nikas2 split-tunnel split_T

vpngroup nikas3 split-tunnel split_T

vpngroup nikas4 split-tunnel split_T

vpngroup nikas5 split-tunnel split_T

vpngroup nikas6 split-tunnel split_T

vpngroup nikas7 split-tunnel split_T

vpngroup nikas8 split-tunnel split_T

vpngroup nikas9 split-tunnel split_T

vpngroup nikas10 split-tunnel split_T

vpngroup nikas11 split-tunnel split_T

vpngroup nikas12 split-tunnel split_T

vpngroup nikas13 split-tunnel split_T

vpngroup nikas14 split-tunnel split_T

vpngroup nikas15 split-tunnel split_T

vpngroup nikas16 split-tunnel split_T

vpngroup nikas17 split-tunnel split_T

vpngroup nikas18 split-tunnel split_T

vpngroup nikas19 split-tunnel split_T

192
Views
0
Helpful
3
Replies