Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client 4.6.02.0011 connects successful but does not receive any Bytes

Hello experts,

My notebook with the VPN-Client connects successfully to the Easy VPN Server, a PIX Firewall 501.

But that is all. I cannot connect to any host behind the firewall. I have to start a Terminal services client and logon to the local Domain behind the firewall.

I carefully examined the example in Chapter 8 of the PIX manual "Managing VPN Remote Access".

And those are the differences:

1. In the manual there is an Access-List defined

access-list in_out_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0

(192.168.2.0 255.255.255.0 is the network address of the inside interface and 192.168.20.x is the address-room the vpn-client gets).

I do not have such an access-list definition, but a very similar one:

access-list outside_cryptomap_dyn_20 permit ip any 192.168.20.0 255.255.255.0

And this access-list is attached to a dynamic crypto-map via ...

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

... and the dynamic map is attached to a static map via ...

crypto map outside_map 65535 ipsek-isakmp dynamic outside_dyn_map

I think that the effect of the access-list-definition is the same as this of the manuals example?

2. I only have ONE nat statement:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

But in the manual there is another statement:

nat (inside) 0 access-list in_out_nat0_acl

Is this statement the lacking one?

3. I do not have a ...

isakmp key <VPN-Client-Password>

... but i have the following statement:

vpngroup VPN_Group_Name password <VPN-Client-Password>

.. and i think, this is the same, isn't it?

4. I do not have the following three statements:

vpngroup VPN_Group_Name dns-server

vpngroup VPN_Group_Name wins-server

vpngroup VPN_Group_Name default domain

... because i want the VPN Client to connect the Internet in parallel to the VPN Client at the remote site.

Therefore i defined an

access-list splitTunnelACL permit ip 192.168.2.0 255.255.255.0 any

and attached it via ...

vpngroup VPN_Group_Name split-tunnel splitTunnelACL

----------

No when i open the statistics screen after being connected via VPN Client and after calling the MS Terminalservices Client and trying to connect to 192.168.2.5, i see

Received Bytes: 0

Sent Bytes: 1406

Local LAN: Disabled ????

And the "Rote Details" page shows NO Local LAN Routes but the one Secured route 192.168.2.0 255.255.255.0

And the VPN -Adapter has no default gateway, but the local LAN of the notebook still has the local default gateway (192.168.80.1 at the moment)

Can anyone out there tell me, what is wrong here?

TIA,

Richard

2 REPLIES
Silver

Re: VPN Client 4.6.02.0011 connects successful but does not rece

Hi Richard,

Lookng at your posting I see one problem, the lack of a NAT 0 statement.

This entry is used to exclude the packets from your internal network back to the client from the NAT process. In your case these packets are being natted and passed out to the Internet not back down the tunnel. This why the client stats show 0 received bytes.

So, what is the address pool range you have defined?

Its this range that needs to go in the NAT 0 ACL.

access-list NAT0-ACL permit ip any

nat (inside) 0 access-list NAT0-ACL

Hope this helps,

Andy

New Member

Re: VPN Client 4.6.02.0011 connects successful but does not rece

YES IT HELPED !!!!!!!!!!!!!!

I thank you so much for your help.

The problem is solved!!!!

Thank you again!!!!!

Yours truly,

Richard

373
Views
5
Helpful
2
Replies
CreatePlease login to create content