Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
874
Views
0
Helpful
5
Replies

Vpn client can'e encrypt packet,VPN up, but no access to inside resources

daniele.bertolotti
Level 1
Level 1

‎12-12-2006 04:40 AM - edited ‎03-11-2019 02:07 AM

at the beginning, i'm sorry for my long message.

i've read here more post about my trouble...but still not foun any solution.

My problem is about a VPN IPSEC TUNNEL on cisco pix 515e

device.

The pix OS version is 7.0.6.

my win xp client have sp2 installed, and try to make vpn tunnel with IPSEC via cisco client 4.6.00.0049

The strange behavior is:

XP client with Cisco VPN client authenticate itself but can't ping any host of the remote lan.

Pix is configured with:

PAT on outside interface

and PAT on DMZ interface.

no nat acl for exclude packet sourced from inside network and destinated to vpn pool address.

(this acl haven't any matched when tunnel is up and running)

split tunnel acl for inside lan.

when i make IPSEC vpn up, and check it via sh crypto ipsec sa i found tunnel active.

when i make sh access-list to check if acl are matched, i found only crypto_dyn20_ acl matched.

nonat acl and splittunnel acl are zero matched.

if i try to ping from client some host on inside network,

nothing appears on stats page on the vpn client.

if i ping from pix to vpn client i see decrypted packet on stats page on client.

no encryption appears to be done on client.

if i try to traceroute from xp client any inside network host, stars appears from first hop..

on my pix i've enabled ipsec-over tcp and

nat-t

where is my mistake?

please help me!

i'm going crazy!!

i attach my pix config.

thanks a lot .

Daniele

Labels:
Preview file
9 KB
0 Helpful
5 Replies 5

zulqurnain
Level 3
Level 3

‎12-12-2006 08:12 AM

hi

do you think it's possible to post the debug output from following

debug crypto ipsec

debug crypto isakmp

0 Helpful

daniele.bertolotti
Level 1
Level 1
In response to zulqurnain

‎12-12-2006 09:58 AM

sorry, but when i start vpn client, I can't see any output on debug!

i make:

term mon

debug crypto ipsec 255

debug crypto isakmp 255

and after:

try to connect, establishing connection, and pinging..

but on pix no output!

BUT after

sh crypto ipsec sa

on pix i have this output:

-----

see attachment!

-----

thanks a lot

Daniele

Preview file
5 KB
0 Helpful

daniele.bertolotti
Level 1
Level 1
In response to zulqurnain

‎12-13-2006 07:25 AM

i haven't found solutions..

someone can help me?

thanks a lot to evrybody

daniele

0 Helpful

daniele.bertolotti
Level 1
Level 1
In response to daniele.bertolotti

‎12-13-2006 08:04 AM

maybe solved!

client versioning problem.

with last version of cisco vpn client (4.8) evrything working well...

thanks a lot

0 Helpful

daniele.bertolotti
Level 1
Level 1
In response to daniele.bertolotti

‎12-13-2006 05:07 PM

false!

isn't a client problem, but ip addressing problem.

if xp client is behind nat, nothing work.

if xp client has a public ip, no nat, evry thing workin' correcty..also linux via vpnc .. :)

obvioulsy pix has:

nat-t enabled via isakmp nat-traversal 20

command in global configuration, and also

ipsec-over-tcp 10000...

any ideas?

big trouble..

cheers

daniele

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card