Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

workaround for vpnClient + PIX + microsoft

Hi all.

I had a lot of trouble while trying to configure windows vpn clients to connect to an internal network through a PIX.

W98 clients could not authenticate on the microsoft domain, while w2000 clients authenticated themselves and therefore accessed the network resources, but still could not browse the internal network in the way they did it while in LAN.

An almost identical configuration was working in other sites.

Finally, removing the PCMCIA-Ethernet, disabling the Network Card or changing its IP address solved the problem.

I got to authenticate with w98 and the internal resources browsing worked just fine. (w2000 is still under testing)

The intranet was 10.0.0.0/16, and my NIC was configured for 10.0.0.x/24.

I guess the PC tries to reach the WINS server (and get informations about the PDC) through the Ethernet NIC, unless it is disabled or on a different subnet (that was the case with the other working sites).

The VPN clients were DHCP clients, but they retained the IP address even after a restart.

We had to give an "ipconfig /release" command to let the VPN work properly.

A script that launches that command first, and then opens the VPN client seems to be a solution, but actually it is just a workaround.

I don't know if anyone already solved that problem in some other way.

I could not find anything better than this while searching on the internet or in the docs.

I'd like a more elegant solution, though.

Any suggestions?

Ciao :)

Aram Gurekian - alter.net srl

PS: please note that the name "INTERNET & MULTIMEDIA" at the right of my name in the post headers is *incorrect*. I don't seem to be able to change it without losing something somewhere else. Any Cisco web-programmer listening?!? :))

1 REPLY
Cisco Employee

Re: workaround for vpnClient + PIX + microsoft

This is a Microsoft issue, it will always send the packet out the NIC if it has the same network address as what you're trying to get to over the tunnel. There's no way around it other than removing the IP address off the NIC (or changing the address to be something different).

See http://www.cisco.com/warp/public/471/ms_route.html (which has links to MS articles describing this behaviour)

303
Views
0
Helpful
1
Replies
CreatePlease login to create content