Cisco PIX 506 VPN help

fhodits · ‎05-31-2002

I can connect to my companies VPN. I am not able to browse anything on the network. I am able to ping everything on our internal network. I am new at configuring PIX VPN and I need to know what possiblly I have left out. I have done the following commands:

vpngroup <group_name> address-pool <pool_name>

vpngroup <group_name> dns-server <dns_ip_prim> [<dns_ip_sec>]

vpngroup <group_name> wins-server <wins_ip_prim> [<wins_ip_sec>]

vpngroup <group_name> default-domain <domain_name>

vpngroup <group_name> idle-time <idle_seconds>

vpngroup <group_name> password <preshared_key>

What am I missing. We are running a WinNT Network.

Thanks.

fhodits · ‎05-31-2002

Update from post:

When I check the client when connected I don't see my internal network listed. Just 0.0.0.0 and the server IP address of the PIX.

Thanks

vijkrish · ‎05-31-2002

Just 0.0.0.0 means you are not using split-tunneling and letting whole traffic go via VPN to the network behind the PIX. This is normal.

Troubleshooting steps to check NT domain logon problems.

1. Check if you can ping the WINS server.

2. Check if you can ping the PDC.

3. Check if your client is attempting to register with the WINS server, using WINS manager. (Check WINS query and response happening on WINS server).

You might have to use a sniffer to check.

A related (non-VPN) sequence of events is described at:

http://www.cisco.com/warp/customer/110/pixnetbios.html#troubleshoot

From above URL: generally this is what happens.

Frames1-6 show the name registration process occurring between the client and the WINS server.

Frames 7-8 show the NetLogon process (the client looking for a DC) between the client and the WINS server.

Frames 9-11 show TCP session establishment.

Frame 12-13 show NetBIOS session establishment.

Frame 14-15 show the start of SMB negotiation and how the process continues and terminates when a user has finished accessing the resource.

So check which steps are failing. You might want to sniff an inside client logging to the PDC to see / baseline the sniffer trace vs. the VPN client.

Let us know how it goes,

Vijay

fhodits · ‎05-31-2002

I can ping WINS server and PDC when using the VPN. They are the same server. On the WINS server I show 2 failed attempts.Should I be using split-tunneling? I don't have a sniffer so I can't do that part. I am going to a PIX class in a month. Do i need to put in any NAT translations or use an access-list?

Thanks,

Frank

r.nair · ‎05-31-2002

You need to logon to the Windows network for browsing the network resources. Enable logon to domain in the client.

If you are not able to logon to the network, then try using a lmhosts file with the Domain Controller information specified there.

Once you logon, then you will be able to browse the network.

fhodits · ‎06-03-2002

I checked the box to promt for the logon and I do not get the prompt. Is there something in the PIX config that I need to enable.

bennettt · ‎06-05-2002

Are you using the cisco vpn client 3.5. if so you need to go to "Options | Windows Logon Properties" and check "Enable start before logon". this will launch the VPN client before you login allowing you to login to the private network after a VPN connection is established.

r.nair · ‎06-06-2002

That is only for Windows 2000 client, isn't it?

jano · ‎07-05-2002

no, it also works for win98