draposo
asked on
Setup VPN connection between PIX 506e and Cisco VPN Client
Hi,
I am trying to establish a VPN connection between PIX 506e and Cisco Client 4.01 I have had little luck with various results. I ocasionally get connected but when I do the PIX stops responding to internet requests. Other times I simply cannot get connected.
I used the VPN wizard and assigned a group name and password. I then setup the same info in the CISCO client. When I hit connect I usually don't get conencted but rather start dropping packets on the PIX side. Sometimes I can connect and recieve an IP address from the pool but I can not ping anything. The pool is on the same subnet as the LAN 192.168.10.xxx Basically I am looking for help setting this conenction up the proper way.
Thanks
I am trying to establish a VPN connection between PIX 506e and Cisco Client 4.01 I have had little luck with various results. I ocasionally get connected but when I do the PIX stops responding to internet requests. Other times I simply cannot get connected.
I used the VPN wizard and assigned a group name and password. I then setup the same info in the CISCO client. When I hit connect I usually don't get conencted but rather start dropping packets on the PIX side. Sometimes I can connect and recieve an IP address from the pool but I can not ping anything. The pool is on the same subnet as the LAN 192.168.10.xxx Basically I am looking for help setting this conenction up the proper way.
Thanks
ASKER
Hi,
It seems like the actual problem that I am having might have ot do with VPN passthrough. I can connect to the VPN PIX using the VPN client ( I reset the config) to SITE 1. It looks like services on SITE 1 are OK but I also need to access services at SITE 2 which is connected via a Site-to-Site VPN tunnel but I can't get through. Both sites are running PIX software.
I can ping site 1 LAN addresses but I can't ping Site 1 VPN router. I can not ping anything at site 2. However, if I am connected only through the site-to-site traffic flows between these without a problem.
THANKS
It seems like the actual problem that I am having might have ot do with VPN passthrough. I can connect to the VPN PIX using the VPN client ( I reset the config) to SITE 1. It looks like services on SITE 1 are OK but I also need to access services at SITE 2 which is connected via a Site-to-Site VPN tunnel but I can't get through. Both sites are running PIX software.
I can ping site 1 LAN addresses but I can't ping Site 1 VPN router. I can not ping anything at site 2. However, if I am connected only through the site-to-site traffic flows between these without a problem.
THANKS
Can you clarify where exactly you are connecting from in these two cases.
You can VPN from the internet to SITE1 ok?
When you are connected to SITE1 via VPN you cannot talk to the servers at SITE2?
Is the PIX you connect to at SITE1 also the same PIX used for the site-site VPN?
You can VPN from the internet to SITE1 ok?
When you are connected to SITE1 via VPN you cannot talk to the servers at SITE2?
Is the PIX you connect to at SITE1 also the same PIX used for the site-site VPN?
ASKER
grblades,
first of all thanks for your patience in getting responses from me and your help. I think I can clarify the situation a bit better today than yesterday. Forget about the SITE to SITE VPN .. it makes sense that that does not work because a PIX will not allow you to traverse the same interface in two directions. So here is the long of it.
I have a user who is going to be connecting to our Network (SITE) via a VPN over a wireless ISP (ISP1). The user is using the Cisco VPN client and the SITE is a Cisco PIX 506e . They can establish connectivity and can also connect via the VPN tunnel. However, once they are connected they cannot do anything local at the SITE.
I found out today that this is only when on ISP1. When I connect to another ISP (ISP2) and open the exact same VPN tunnel they can do whatever they want. It seems to have something to do with Ipsec over NAT .. but when I put a router between the client and ISP2 they can still connect. So .. is the issue on the ISP side or is there something on the PIX or VPN client that I must enable? Thanks again for any help you can provide.
first of all thanks for your patience in getting responses from me and your help. I think I can clarify the situation a bit better today than yesterday. Forget about the SITE to SITE VPN .. it makes sense that that does not work because a PIX will not allow you to traverse the same interface in two directions. So here is the long of it.
I have a user who is going to be connecting to our Network (SITE) via a VPN over a wireless ISP (ISP1). The user is using the Cisco VPN client and the SITE is a Cisco PIX 506e . They can establish connectivity and can also connect via the VPN tunnel. However, once they are connected they cannot do anything local at the SITE.
I found out today that this is only when on ISP1. When I connect to another ISP (ISP2) and open the exact same VPN tunnel they can do whatever they want. It seems to have something to do with Ipsec over NAT .. but when I put a router between the client and ISP2 they can still connect. So .. is the issue on the ISP side or is there something on the PIX or VPN client that I must enable? Thanks again for any help you can provide.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
grblades.
Thanks for the help. We are up and running oven the VPN.
Thanks for the help. We are up and running oven the VPN.
Here are a few links:-
PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html
Firstly the VPN pool should be on a different subnet than your internal IP range. This is probably the cause of your problems.
Also client 4.01 is fairly old and so I would try and get an updated version.