Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

is
New Member

Can't access resources off of some intf on Pix VPN with W2k/XP MPPTP client

I'm trying to get a VPN working, am able to connect to it using XP/W2k (w/o Cisco VPN client -- just Windows VPN). I can access resources from some interfaces but not others. The following is an example of the log message when I try to access a "blocked" resource:

2003-05-22 10:40:46 Local0.Error <pix IP> May 22 2003 10:23:28: %PIX-3-106010: Deny inbound tcp src outside:<VPN client addr>/1106 dst RemoteConnections:<dest addr>/23

I'm used to trouble-shooting the error messages when they have an ACL, but this doesn't list one -- it doesn't list what's denying it. I looked the error code up on Cisco's website and it just said that it was denied due to the security policy in place. I added

permit ip any <VPN client IP net> <VPN client IP mask>

and

permit ip <VPN client IP net> <VPN client IP mask> any

to all of the interfaces on the Pix but it just didn't make a difference!

It seems that some interfaces I can access with the client just fine, but others are completely blocked (like the one denied log msg above). I can't access the internet or any resources on the Outside interface either (like pinging 4.2.2.2 or even my gateway router). When I do try, I get the following:

2003-05-22 10:38:18 Local0.Info <Pix IP> May 22 2003 10:20:59: %PIX-6-110001: No route to 4.2.2.2 from <VPN Client IP>

Accessing resources off of the Inside interface is just fine. There are two (Outside and another interface) that I can't access resources through.

Any help you could offer would be more than appreciated!

Thank you in advance,

Tim Clegg

  • Other Security Subjects
2 REPLIES
New Member

Re: Can't access resources off of some intf on Pix VPN with W2k/

Have you checked the bug tool kit for any known issues between VPN client software and W2k/XP??

is
New Member

Re: Can't access resources off of some intf on Pix VPN with W2k/

I gave up and opened a TAC case for this issue after not getting any reply. My syslog server was showing that packets from the VPN client were being denied by the Pix, but without any access list specified. It turns out that I'd omitted a couple of static entries for the VPN client IP address subnet. After adding in the needed static entries to all of the interfaces/subnets the clients would need to access, it worked!

The other issue I was experiencing is not being able to access the Internet through the VPN (without using split-tunneling). To have Internet access, I would need to setup a different interface that would be handling the VPN connections (currently the same interface serves Internet access and VPN connections).

Thank you for your response!

Have a good day,

Tim Clegg

94
Views
0
Helpful
2
Replies
This widget could not be displayed.