Re: Cisco VPN Client (3.x) --> PIX 515 (6.2) Routing Table

skingry · ‎04-01-2003

I’m having trouble getting the Cisco VPN Client 3.x to work with my new PIX515 6.2 box. The end goal is to have both client software initiated connections as well as point to point links between the 515 and 501s. However, currently, I’m just trying to work the client software angle.

I also have the CiscoSecure v3.1 software installed.

I’ve done a lot of reading, but am currently working from the ‘Cisco PIX Firewall and VPN Configuration Guide.’ I have tried effectively mimicking the examples from two sections, ‘Xauth with RSA Ace/Server and RSA SecurID,’ and example 8-2 from the section ‘Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x – the Xauth / Pre-Shared keys section.’

Under both scenarios (as well as countless little tweaks/experiments), the client software successfully authenticates through the PIX515 to the CiscoSecure server (and hence through that to the RSA ACE/Server). This is dandy. However, once that’s done, I’m still pretty much dead in the water as the client’s routing table doesn’t get updated to reflect the VPN link. Depending on the specific configuration on the PIX, I may be able to ping certain interfaces on that box, as well as other addresses between, but I can never get “through” the PIX box.

I’ve banged my head on this off and on for a few days without success. I guess I’m wondering if I’m even supposed to see an updated table, and if you have any suggestions on places to deviate from the example code? At this point, I do not have the allow access to local LAN box checked, though I have tried it both ways.

SK

PS: I’m eventaully going to want the client’s new IP address (currently assigned from a local pool in the PIX515) to be registed in the DDNS system (these are not W2K clients), so if a design change needs to be incorporated to allow this, please keep in mind. My priority however, is to at least get the above working more so than this!! ;-)

gfullage · ‎04-01-2003

We'll probably need to see the PIX config to sort this out, can you post it and xxx out your passwords and outside IP address(es) please.

Keep in mind that if your tunnel is up, you won't be able to ping the inside interface of the PIX, or any interface other than the outside, the PIX doesn't allow this, so make sure for your testing that you are indeed pinging thru the PIX to an internal host. Also, make sure that internal host has a route to the VPN pool of addresses that points back to the PIX, otherwise you won't get a reply.

As for DDNS, this won't work with the PIX cause you can only assign IP addresses out of a local pool. For DDN to work, it relies on IP assignment to a DHCP server. And no, you can't have ACS assign the IP address either, it can only be done with a local pool on the PIX. Sorry.

Oh, and no, you won't see anything in the routing table on the client. The VPN Client uses a SHIM adapter so the negotiated IP address is not known to anything other than the VPN client software, the underlying Windows OS doesn't know anything about it. If you do an "ipconfig /all" you'll notice you won't see any reference to the VPN IP address, only when looking at the VPN client properties window will you see this.

skingry · ‎04-02-2003

thank you for your detailed reply and willingness to help. i appreciate both and learned a couple of things. after reading your message this morning, i was finally able to get the pdm interface to work (yes, one should use https, not http. for some reason i had found docs that implied to me pdm wasn't on the 515. oops!). i blew away my config and by using the wizard i had a working vpn client configuration in five minutes. granted, i'll do some tweaking, but anyway. it looks like nat was setup incorrectly. as this pix is not going to be used for outbound Internet access, I wasn't concerned. in one of the xauth/token configuration example i was working from, i had no nat statements, and in the other example, i still didn't have enough natting. i'll have to experiment to see exactly what is required, but at least i can move forward now. =)

is there anyway for the pix to identify a hostname/ip pool address mapping? obviously this would be dependent on the client supplying one.

thanks!

gfullage · ‎04-02-2003

Glad to hear you got it working.

As for your last question, if you're asking can the PIX assign a particular IP address to a particualr client based on some parameter like hostname, then sorry, the answer is no. The PIX address-allocation function is fairly simplistic, it just assigns addresses out of a local pool as they become available.

skingry · ‎04-03-2003

i'm sorry, i was not clear. all i'm wanting is to find out is if the pix knows the hostnames or usernames of the ip addresses it assigns. meaning, can i use the cli, gui, or snmp, etc., to see this information. thanks!

sk

gfullage · ‎04-03-2003

Oh OK, again the answer is no though. Sorry.