Can't access resources off of some intf on Pix VPN with W2k/XP MPPTP client
I'm trying to get a VPN working, am able to connect to it using XP/W2k (w/o Cisco VPN client -- just Windows VPN). I can access resources from some interfaces but not others. The following is an example of the log message when I try to access a "blocked" resource:
I'm used to trouble-shooting the error messages when they have an ACL, but this doesn't list one -- it doesn't list what's denying it. I looked the error code up on Cisco's website and it just said that it was denied due to the security policy in place. I added
permit ip any <VPN client IP net> <VPN client IP mask>
permit ip <VPN client IP net> <VPN client IP mask> any
to all of the interfaces on the Pix but it just didn't make a difference!
It seems that some interfaces I can access with the client just fine, but others are completely blocked (like the one denied log msg above). I can't access the internet or any resources on the Outside interface either (like pinging 126.96.36.199 or even my gateway router). When I do try, I get the following:
2003-05-22 10:38:18 Local0.Info <Pix IP> May 22 2003 10:20:59: %PIX-6-110001: No route to 188.8.131.52 from <VPN Client IP>
Accessing resources off of the Inside interface is just fine. There are two (Outside and another interface) that I can't access resources through.
Any help you could offer would be more than appreciated!
Re: Can't access resources off of some intf on Pix VPN with W2k/
I gave up and opened a TAC case for this issue after not getting any reply. My syslog server was showing that packets from the VPN client were being denied by the Pix, but without any access list specified. It turns out that I'd omitted a couple of static entries for the VPN client IP address subnet. After adding in the needed static entries to all of the interfaces/subnets the clients would need to access, it worked!
The other issue I was experiencing is not being able to access the Internet through the VPN (without using split-tunneling). To have Internet access, I would need to setup a different interface that would be handling the VPN connections (currently the same interface serves Internet access and VPN connections).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...