VPN users not able to ping each other

Ok here is what I have.

Cisco Pix 520's Primary and failover. I am not using a VPN concentrator.

All my users are on VPN. We can Ping and map server drives and folders and servers can map to our machines.

However VPN users cannot Ping,map or share drives with each other

So essentailly with users connected to VPN and being behind the company firewall it should not be such a problem pinging users individual machines

Here is my actual setup

access-list 101 permit ip 10.0.0.0 255.0.0.0 172.16.2.0 255.255.255.0
access-list 101 permit ip any 172.16.2.0 255.255.255.0
access-list outside_cryptomap_dyn_24 permit ip any 172.16.2.0 255.255.255.0
access-list Prod_splitTunnelAcl permit ip 10.10.1.0 255.255.255.0 any

ip local pool VPN-pool 172.16.2.1-172.16.2.254


vpngroup Prod address-pool VPN-pool
vpngroup Prod dns-server 10.10.1.250
vpngroup Prod wins-server 10.10.1.14
vpngroup Prod default-domain secret.com
vpngroup Prod split-tunnel Prod_splitTunnelAcl
vpngroup Prod idle-time 1800
vpngroup Prod password ************

So would an entry like

access-list 101 permit ip 172.16.2.0 255.255.255.0 172.16.2.0 255.255.255.0

Allow my VPN users to ping each other and map drives?

All my servers are on a 10.10.0.0 network

The VPN I.P. adresses are 172.16.2.0




NetNinjaAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
>However VPN users cannot Ping,map or share drives with each other
Correct. The Cisco VPN client has an internal ZoneAlarm firewall that is not configurable. The "Stateful Firewall always on" option only controls the behavior when the VPN is not connected. Once connected, the stateful firewall is always on.

The VPN3000 series concentrator gives you some additional control with sending firewall rules, but the PIX will not.

0
 
magicommincCommented:
what is your PIX software version? until version 7.01, you can't make "U" turn (traffic leave the same interface it arrived), you may have to upgrade your firewall software, see below from Cisco 7.01:
• Enables remote-access VPN connections to be terminated on the outside interface of a Cisco PIX Security Appliance, allowing Internet-destined traffic from remote-access user VPN tunnels to leave through the same interface it arrived at (after firewall rules, URL filtering policies, and other security checks have been optionally applied).
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_data_sheet0900aecd80225ae1.html
0
 
NetNinjaAuthor Commented:
The IOS version is 6.2. I believe Cisco has released version 6.3 and the end of life for these Pix 520 firewalls was 2 months ago.

I also need a Cisco CCO account to view the link you posted.

0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
magicommincConnect With a Mentor Commented:
you need to upgrade software to support that "U" turn features and would need a CCO account to upgrade PIX software. even 520 is EOL, I believe their support for that would last at least few more years.
here is the same URL doesn't require CCO:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd80225ae1.html
0
 
NetNinjaAuthor Commented:
The Cisco Ninja! (lrmoore) What's going on dude! Thanks for the info!
0
 
magicommincCommented:
lrmoore: in the statement "However VPN users cannot Ping,map or share drives with each other", I think "each other" means "those connected VPN PCs", NetNinja, can you please confirm this? if not, that will be totally different story.
0
 
lrmooreCommented:
Magicomminc (the Force is with him, too) is right, it's really a combination of both issues.
Even if the Pix could support client-client communcations at all, the client firewall would still prevent it..

I'm amazed at the number of questions in this forum where VPN users try to turn their VPN-connected PC into a router for some other application. And get upset because they can't. If they could, then it wouldn't be a world-class security product and would die a painful death..

Cheers, mates!

0
 
magicommincCommented:
Cheers,
here is the case I was thinking:
PC client: IP address 192.168.1.0/24, VPN pool: 10.10.10.0/24
after PC VPNed, they won't be able to ping 192.168.1.0/24 anymore and that is controlled by concentrator, split-tunnel. But with new version PIX 7.01, they should be able to make a "U" turn from pix and ping other 10.10.10.0/24 PCs, is that NetJinja originally asking?
0
 
NetNinjaAuthor Commented:
My network is a 10.10 network which my servers are all on.

My VPN pool of adresses starts at 172.16.2

All company users connect and work remotley from home using VPN.
They are personal machines. They are not company machines.
All running a varity of OS's Win2k and WinXP.
(Oh the pain!)

We can communicate with the servers
We can map drives to the servers
The servers can map drives from us.

We want to map each others drives or folders.
We can't do this.

I don't have a concentrator. These PIX 520's are old and they have the bare minimum to run IOS version 6.2 and the PDM manager v2.1.

16MB flash 128Mb of ram. 350mhz.

 I am not sure if IOS 7.0 will run on the PIX 520's.
The documentaion you linked to me does not mention Pix 520's


0
 
magicommincCommented:
once those PC VPNed, they get 172.16.2 address and drive mapping between 10.10 and 172.16.2 works and you intend to map drives between PCs that have 172.16.2 address, that didn't work, is that the case?
0
 
NetNinjaAuthor Commented:
Correct.

personal machines that connect via the Cisco VPN client get assigned an IP from a pool of VPN adresses 172.16.2.
0
 
magicommincCommented:
lrmoore, please clearify this: base on above case, do you think "Stateful Firewall always on" is still a factor and prevent the connection?
0
 
lrmooreCommented:
This is exaclty how I read the question originally...
ClientX at home with 172.16.2.x want's to connect to ClientY 172.16.2.Y

It just can't happen for both reasons and more..

Both clients are "outside" and the pix won't send a packet back out the same interface it came in on. Traffic from ClientX comes into the pix, then would have to turn around and go back out to ClientY. Won't happen except with 7.0

The 2nd reason is the stateful firewall is always enabled while the vpn is active, regardless of whether it is selected as "always on". Only the VPN 3000 can send firewall rules to the client, not the PIX. Maybe in 7.0...but I wouldn't count on it.

The 3rd reason is that the IPSEC traffic is defined by acl as source 10.10.x.x to 172.16.2.x, and with split-tunneling enabled, that's the only traffic that goes through the vpn. Not 172.16.2.x -> 172.16.2.y. You can't define it unless each client gets a different subnet... hmmm... maybe-except for rule #1 above..
0
 
magicommincCommented:
if we just forcus on this "Both clients are "outside" and the pix won't send a packet back out the same interface it came in on. Traffic from ClientX comes into the pix, then would have to turn around and go back out to ClientY. Won't happen except with 7.0".
With PIX 7.0, client X with IP 172.16.2.X want to map drive at client Y with IP 172.16.2.Y, do they care about "Stateful Firewall on or off"?
0
All Courses

From novice to tech pro — start learning today.