01-20-2003 04:39 AM - edited 02-21-2020 12:17 PM
I've been working on this one for three days now, searched CCO, google, books, etc., with no luck so I'm throwing this out there. With an Cisco 3.6 VPN client I can connect to a PIX 515 but I cannot ping nor reach any internal hosts. I set up a PPTP tunnel as a test and I could connect and ping through that one but not the IPSEC. I checked many configs on CCO and I can't see what I'm missing. I also checked the bug list and tried a few versions of clients. Any help is appreciated. The relevant parts of the config are below.
Cheers,
D
access-list compiled
access-list dmz_outbound_nat0_acl permit ip host DNSBOX any
access-list dmz_outbound_nat0_acl permit ip host WEBBOX02 any
access-list dmz_inbound_nat0_acl permit ip DMZ_Net 255.255.255.240 Corp_Net 255.255.255.0
access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq www
access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq https
access-list inside_access_in permit udp Corp_Net 255.255.255.0 any eq domain
access-list inside_access_in permit tcp host EXCHANGE host DNSBOX eq smtp
access-list inside_access_in permit tcp Corp_Net 255.255.255.0 host DNSBOX eq domain
access-list inside_access_in permit icmp Corp_Net 255.255.255.0 any
access-list inside_access_in permit udp host ATLDCSNS any eq ntp
access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq ftp
access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq ftp-data
access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq 6081
access-list inside_access_in permit tcp Corp_Net 255.255.255.0 host ROUTER eq telnet
access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq 801
access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq citrix-ica
access-list inside_access_in permit tcp Test_Net 255.255.255.0 any eq www
access-list inside_access_in permit tcp Test_Net 255.255.255.0 any eq https
access-list inside_access_in permit icmp Test_Net 255.255.255.0 any
access-list dmz_access_in permit udp DMZ_Net 255.255.255.240 any eq domain
access-list dmz_access_in permit tcp host DNSBOX host EXCHANGE eq smtp
access-list dmz_access_in permit tcp DMZ_Net 255.255.255.240 any eq www
access-list dmz_access_in permit tcp host DNSBOX any eq smtp
access-list dmz_access_in permit tcp host WEBBOX any eq www
access-list dmz_access_in permit icmp any any
access-list outside_access_in permit udp any host DNSBOX eq domain
access-list outside_access_in permit tcp any host DNSBOX eq smtp
access-list outside_access_in permit tcp any DMZ_Net 255.255.255.240 eq echo
access-list outside_access_in permit tcp any host WEBBOX eq 7880
access-list outside_access_in permit tcp any host WEBBOX eq https
access-list outside_access_in permit tcp any host WEBBOX eq www
access-list nonat permit ip Corp_Net 255.255.255.0 10.2.4.0 255.255.255.0
access-list outside_nat0_inbound permit ip any any
ip address outside 66.65.99.66 255.255.255.248
ip address inside 10.2.3.2 255.255.255.0
ip address dmz 66.65.99.98 255.255.255.240
ip local pool VPNPOOL 10.2.4.1-10.2.4.254
global (outside) 10 interface
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list nonat
nat (inside) 0 EXCHANGE 255.255.255.255 dns 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 0 access-list dmz_inbound_nat0_acl outside
nat (dmz) 0 DMZ_Net 255.255.255.240 dns 0 0
static (inside,dmz) EXCHANGE EXCHANGE dns netmask 255.255.255.255 0 0
static (dmz,outside) WEBBOX WEBBOX dns netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 ROUTER00 1
route inside Test_Net 255.255.255.0 atldcsintrt 1
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt route dnat
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map vpnmap 10 set transform-set vpnset
crypto map vpnmap 10 ipsec-isakmp dynamic vpnmap
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup MYVPN address-pool VPNPOOL
vpngroup MYVPN dns-server NS00
vpngroup MYVPN wins-server NS00
vpngroup MYVPN default-domain mydomain.com
vpngroup MYVPN split-tunnel nonat
vpngroup MYVPN idle-time 1800
vpngroup MYVPN password ********
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local VPNPOOL
vpdn group 1 client configuration dns NS00
vpdn group 1 client configuration wins NS00
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username compvpn password *********
vpdn enable outside
01-21-2003 08:28 PM
Considering your PPTP config uses the same IP pool as your IPSec config, and your PPTP works, then that says you have the "nat 0" stuff set up correctly.
Your crypto config looks OK, can't see anything obviously wrong with it. Kep in mind that the tunnel is built on UDP port 500 (ISAKMP) packets, but then all data is sent on IP protocol 50 (ESP) packets, so it's possible that ESP is being filtered out somewhere, this would still allow you to build a tunnel successfully, you just couldn't ping anything over it.
After you establish a connection, do a "sho cry ipsec sa" on the PIX and look for the tunnel for your PC (find the tunnel with the IP address out of the pool that your connection received). Look at the Packets Encaps and the Packets Decaps counters. Also double-click on the padlock icon in your task bar. When you ping something, does the Packets Encrypted counter on your PC go up? Does the Packets Decaps counter on the PIX go up (indicating the PIX received your packet)? Does the Packets Encaps counter on the PIX go up (indicating the host responded and the PIX has encrypted the response and sent it to your PC)? Does the Packets REceived counter on your PC go up?
You should be able to check these counters, see what increments and what doesn't, and figure out where the problem lies.
01-22-2003 12:12 PM
I am having the exact same problem. However, I have a couple of things I would like to add:
I've experienced this problem on Windows 2000 and Windows XP frequently.
On my Windows XP machine, I was able to ping internal resources through the VPN tunnel only once. After I restarted my PC, I lost that capability. Could this have something to do with the IPSEC Agent in Windows XP? I saw some posts suggesting that all Windows IPSEC services be disabled when running the VPN Client (I am using 3.6.2 btw).
On Windows 2000 PCs, the problem may be fixed with restarting the router on the VPN client's side.
01-22-2003 04:26 PM
Hi
To the best of my knowledge, 3.6 doesn't work very well at all, 3.6.3 is the one you want. Also, bear in mind that if your client is behind any kind of router or firewall that performs NAT or PAT, then although it may connect successfully, it won't work at all as the IPSEC packets will be disguarded. The VPN client installation process should ask about if it can disable the w2k IPSEC service, cos it won't work otherwise.
HTH
Kev
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: