I think the Windows machine is update to date with Windows patches but i will check with the user. The user was using Cisco VPN client version 5.0.07.0290 but we just removed that and installed 5.0.07.0410. Is there a newer version and if so is it more reliable? Using the 5.0.07.0290 client the user can connect to an ASA VPN without any problems but it just wouldn't work on the PIX.

I think we have narrowed it down to a Windows 7 64 bit issue. It seems to work fine with Windows 7 32 bit but not 64 bit. Any ideas?

Thanks,

Lake

What software version are you running on the PIX?

*edit* - Also, have you tested from a different 64bit machine to make sure there isn't something faulty with the current one you are using?

--

Please remember to select a correct answer and rate helpful posts

The PIX is running version 6.3. Actually, one Windows 7 64 bit and one Windows 8 64 bit was working fine before we setup the site to site vpn which is connected to an remote ASA. Now the Windows 7 machine can connect fine to the ASA using client VPN but it just won't work with the PIX

Have for NAT traversal enabled on the firewall device?

Cisco VPN Client Connects but no traffic will Pass

Pete

Yes Sir, it is enabled. The Client VPN works perfectly fine with Windows 32 bit computers but not Windows 7 and 8 64 bit. I can connect to the VPN but i cannot reach any devices behind the PIX. If i login to the PIX i can ping the WIndows 64 bit computer. Any ideas? I have attached the PIX config.? Please advise?

Thanks,

Lake

Can someone please help me with this PIX remote access VPN? I just can't get it working with Windows 64 bit clients.

Any help will be greatly appreciated.

Thanks,

Lake

Well, if it works fine with the 32 bit machines there is no problem with the PIX configuration.

When you say you can ping the windows 64 bit computer, are  you pinging its VPN assigned IP? or a public IP on the internet?

When you try to connect using the 64bit computer do you see anything unusual in the log?

If you enable the client logging feature in the VPN client do you see anything that might point to what is causing the issue there?

Just for the sake of elimination, have you disabled the windows firewall on the 64 bit computer when trying to connect?

You can also try to uninstall and then reinstall the VPN client on the 64 bit machine. just remember to restart the computer after the uninstall, and then again after you install the vpn client again.

Also make sure that all windows updates are installed (not just the high priority ones).

This link has some more tips on troubleshooting RA VPN problems

http://www.informit.com/library/content.aspx?b=Troubleshooting_Remote_Access&seqNum=167

--

Please remember to select a correct answer and rate helpful posts

Marius,

Thanks for taking the time to help me with this.

If i ssh into the PIX i can ping the VPN client by it's VPN assigned IP Address.

I will get the user to turn on logging in the VPN client and look for any errors.

Yes, we did disable the Windows firewall and even the antivirus.

We had an older version of the VPN client and we removed that and installed the latest one from Cisco website without any success. We also have a second Windows 64 bit computer that is not working.

The computer is fully updated

Both of these computers were working fine before we setup the site to site VPN

Did you get a chance to take a look at my config?

Thanks,

Lake

How are you testing the RA VPN connection? If using ping, what are you pinging?

Which IP pool are the 64 bit computers getting their IP from (dmz-pool or vpn-pool)?

If it is the dmz-pool, just for testing, could you add a more specific ACL entery for the no nat instead of using any as the source address:

access-list no-nat-acl permit ip any 192.168.7.0 255.255.255.0

--

Please remember to select a correct answer and rate helpful posts

Marius,

We are trying to ping 192.168.2.3 which is on the inside network. The 32 bit computers are getting their IP Addresses from vpn-pool and i think the 64 bit is also getting their IPs from the same pool. I don't have a 64 bit computer but i will check with the user. I don't think we need the dmz pool. Should i just remove it or do you think i should still go ahead and add the access list command you mentioned?

I truelly appreciate all your help.

Thanks,

Lake

Should i just remove it or do you think i should still go ahead and add the access list command you mentioned?

As per your configuration the dmz-pool is configured to be used.

vpngroup dmz-group address-pool dmz-pool

You could remove it and then see if someone starts shouting at you, just remember to make a backup of the configuration in case you need to add it back in quickly.

You are missing the 192.168.2.0 subnet from you no nat statements

access-list no-nat-acl permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list no-nat-acl permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list no-nat-acl permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0 
access-list no-nat-acl permit ip any 192.168.7.0 255.255.255.0 

add a rule that includes the 2.0 network going to the 6.0 network and then test.

access-list no-nat-acl permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0

--

Please remember to select a correct answer and rate helpful posts

Marius,

I removed the commands below and it still works for 32 bit clients. I am trying to get my colleague to test it. Since i don't need dmz-pool just removed it.  I will let you know how that goes.

no vpngroup dmz-group address-pool dmz-pool
no ip local pool dmz-pool 192.168.6.1-192.168.6.254

I added this one below.

access-list no-nat-acl permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0

Thanks,

Lake