Re: VPN connection without REMOTE LAN access not working.

Michael DeCamillis · ‎10-22-2010

I have read recently other people having similar trouble, this is somewhat different.

Through the same home Linksys router/firewall I can connect a workstation via VPN to a PIX501 without trouble. From the same network I can connect my laptop, but I do not have REMOTE LAN access.

This seems to imply that the local firewall is not an issue.

The workstation is using the Cisco client version 5.0.00 and the laptop 5.0.03.

The workstation is XP-sp3, the laptop is Vista-sp2.

Another, seperate laptop running XP-sp3 and connecting via an AT&T USB air card has the same connectivity issue.

We can connect to the VPN and receive a IPPOOL address, but no REMOTE LAN access. The workstation connect without issue.

Any suggestions?

Here is an update: Attached is the PIX configuration. The network is as follows: Laptop (192.168.101.104) Linksys router (192.168.101.x) Cable company modem and Internet Remote router provided by ISP Pix 501 inside(192.168.0.1) network (192.168.0.x) no other router at this location, just switch. Server (192.168.0.4) The connection is working today without any other updates, except with the addition of the "management-access inside" command. Have not tried to connect with the AT&T laptop yet, so I do not know if that is working or not. The configuration works from a workstation of same operating system and VPN client software. Comments: 1. USB devices, not sure why this should make a difference. It is essentially a modem connection to the Internet. I will test connection. 2. I will try disabling the firewall to see if that makes a difference. 3. Please check the configuration as to needed or missing commands. Is there a reason why this would be intermittent? I will test my laptop with the Internal Verizon card and give an update.

Message was edited by: Michael DeCamillis I just connected via the Verizon network card. This card is built into the Vista laptop and is not an external USB connection. Connection is working. The only thing that was changed is the command: "management-access inside". No other changes were made in the interium. I will test with the other XP laptop (not at this location so it will be a little while before testing).

Federico Coto Fajardo · ‎10-22-2010

Hi,

You mean that the VPN client connects fine but can't pass traffic through the tunnel?

If so, look at the following:

NAT-T should be enabled both on the VPN server and client.
sh cry ips sa --> shows traffic encrypted/decrypted when sending traffic to the remote LAN
If the PIX is running 6.3 enter the command ''management-access inside'' and check if you can PING the inside IP of the PIX from the VPN client
Check that the command ''sysopt connection permit-ipsec'' is configured
The remote LAN should have a route back to the PIX to send the traffic to the VPN clients

Federico.

Jitendriya Athavale · ‎10-22-2010

if i understand you right this is what you need

ipsec for clients

PC(remote client network A) -----------------------------------------PIX (network B )

ipsec tunnel |

|

router(remote network C) --------------------------------------------------

so if your question is u need access from A to C that wont happen on PIX 501 running 6.3

if you want to access A to B make sure you have nat 0 statements set right - nat 0 acl should have src as internal and dst as remote vpn pool and the rest of the points mentioned by frederico

apothula · ‎10-23-2010

Hi Michael,

Please be informed that Cisco VPN Client doesn't support VPN connections through a USB Dongle or a Data card.

As far as the other issue is concerned, this is what i understand. Please correct me if I am wrong so that we can provide you an apt solution.

Work Station -------------- Links Sys Router ---- VPN Connection --- PIX 501

Vista Laptop -------------------------|

manasjai · ‎10-23-2010

Hi ,

try disabling windows firewall on the laptop from which you are not able to access the resources!!

also cisco vpn client does not support vpn connections thru data card!! this answers why we are facing issues with AT&T USB air card.

Thanks,

manasi

Michael DeCamillis · ‎10-23-2010

Here is an update:

Attached is the PIX configuration under the orignal post.

The network is as follows:
Laptop (192.168.101.104)

Linksys router (192.168.101.x)
Cable company modem and Internet
Remote router provided by ISP

Pix 501 inside(192.168.0.1) network (192.168.0.x) no other router at this location, just switch.
Server (192.168.0.4)

The connection is working today without any other updates, except with the addition of the "management-access inside" command used to test Ping command.

Have not tried to connect with the AT&T laptop yet, so I do not know if that is working or not.

The configuration works from a workstation of same operating system and VPN client software.

Comments:
1. USB devices, not sure why this should make a difference. It is essentially a modem connection to the Internet. I will test connection.
2. I will try disabling the firewall to see if that makes a difference.
3. Please check the configuration as to needed or missing commands.

Is there a reason why this would be intermittent?
I will test my laptop with the Internal Verizon card and give an update.

I tested the connection via the Verizon network card. This card is built into the Vista laptop and is not an external USB connection.
Connection is working. The only thing that was changed is the command: "management-access inside". No other changes were made in the interium.

I will test with the other XP laptop (not at this location so it will be a little while before testing).

apothula · ‎10-23-2010

Please also check if your Linksys Router/firewall is configured in pass through mode for VPN.

Michael DeCamillis · ‎10-23-2010

Yes, local firewall allows passthru. Local workstation works thru (always has for this device) and now it is working on the Vista laptop. Only thing is the laptop was rebooted. With all things Microsoft, reboot usually helps. Still have issue with other laptop.

manasjai · ‎10-23-2010

Hi Michael,

management-access inside is used when you want to ping the inside interface of the PIX from the laptop connected to the VPN.

It would make no difference in accessing the internal resources.

If this command is not present on the PIX, you will not be able to ping the inside IP address but you would still be able to ping the inside hosts .

When you are not able to access the resources, try doing a route print on the PC

The route for 192.168.0.x/24 should be through 192.168.101.104

Also , choose status > statistics in the VPN client and check the status of encaps and decaps

Check the same on the PIX by issuing the command sh cry ips sa peer ; you can find the public IP of your laptop by typing whatismyip on the browser.

If you see encaps on the VPN stats, we can apply captures on the inside interface of the PIX to see how is PIX treating the packet , considering its reaching the PIX. You can apply captures as follows :

access-list capi permit ip host 192.168.101.104 host 192.168.0.4

access-l capi permit ip host 192.168.0.4 host 192.168.101.104

capture capi access-l capi interface inside.

Now initiate a ping from your laptop and see the output of sh cap capi. It would be great if you could share this output..

Also let me know if disabling windows firewall help!!

Thanks

manasi

manasjai · ‎10-23-2010

I am assuming that the IP you got from the pool is 192.168.101.104.

If you get any other IP address, replace 192.168.101.104 with that IP address in the above tests!!!

Michael DeCamillis · ‎10-23-2010

I do not have access to the other laptop until Monday. So I will test then. In the mean time the local PC address from the Pool is: 192.168.11.100

manasjai · ‎10-23-2010

Hi Michael,

All right in that case, once you are connected to the vpn , just check the statistics to see if we are encapsulating and sending the packets.

we ca apply the following captures on the pix:

access-list capi permit ip host 192.168.11.x host 192.168.0.4

access-l capi permit ip host 192.168.0.4 host 192.168.11.x

where 192.168.11.x is the IP address that you get

capture capi access-l capi interface inside.

Now initiate a ping from your laptop and see the output of sh cap capi.

I request you to paste the outpus of sh cap capi here

Javier Portuguez · ‎10-24-2010

Indeed the VPN client's statistics are very useful.

According to your findings, I would recommend you the following:

1- Once the client gets connected, try to access the remote network (generate some VPN traffic), then check the VPN statistics... do you see the TX counters increased? if so, place a capture on the PIX to check for that traffic...

2- If you do not see any TX packets, then run a packet-sniffer on the faulty computer and check for that traffic...

There are known issues on Windows Vista due to an update to the DNE, I would recommend you to install the latest IPsec client and update your DNE, Citrix just released the new version...

Please keep us posted on any update.