I can establish a connection to the pix fine, but cannot get to the internal lan. It appears the vpn pool addresses don't reach the dns/wins servers, as if there is a routing problem. Do I need to take one of those pool addresses and use it as a static route/default gw on the router that sits between the pix and local lan?
That didn't work. I got an error msg about a "classless" ip address and the config failed. I can connect and authenticate to the pix ok but I don't get the windoz login screen for userid, password and DOMAIN
name. Only the pix is talking back and forth to the client. It's like it can't find the dns/wins servers.
i had a problem like that today with a PPTP based VPN
LAN ---> Router ----> PIX --->Internet <---PPTP Clients
if you have a router in between the PIX make sure
that you are not NAT'ing the VPN traffic that is retruning to the VPN clients
(i.e., web page access)
VPN Client src 10.1.38.6 port 1044 syn -->
InternalWWW dst 10.1.1.10 port 80
VPN Client establishes session to the PIX outside interface/tunnel endpoint
VPN Client request for a web page gets to the Web Server sucessfully BUT the firewall tries to NAT the return traffic as soon as it hits the inside interface.
the return traffic ends up with:
InternalWWW src IP-OF-OUTSIDE-INTERFACE port 80 syn-ACK --> 10.1.38.6
(since the ACK bit is set the PIX looks for an active NAT translation slot - in which there is none so it won't work)
i fixed it like this :
ip local pool VPNUSERS 10.1.38.6-10.1.38.10
access-list 123 permit ip any host 10.1.38.6
access-list 123 permit ip any host 10.1.38.7
access-list 123 permit ip any host 10.1.38.8
access-list 123 permit ip any host 10.1.38.9
access-list 123 permit ip any host 10.1.38.10
nat (inside) 0 access-group 123
nat (inside) 1 0 0
global (outside) 1 interface
interface inside address 10.1.38.1 255.255.255.0
(the router is 10.1.38.2/24)
sysopt connection permit-pptp
i checked syslog and it was barking about no active nat translation slots........
what was happening was traffic was coming into the VPn tunnel and going to the destinations but the return traffic could not go back because of there were no active NAT translation slots for the session (that were INITATED by the internal clients). so i had to make sure that traffic returning to the VPN clients requests were not getting NAT'd on the way back.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :