[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 340
  • Last Modified:

Cisco VPN Client

I just changed my firewall to Cisco PIX 506,My remote is using Cisco VPN Client to connect to headquaters,the connection is working fine they can succesfully connect to HQ,but when my users in HQ try to connect to my remote users PC they are unable to connect,so what should I do to make the users in HQ to be able to connect back my to my remote site users printers & PC,s

Thanks in Advance
0
inteq
Asked:
inteq
  • 15
  • 4
  • 2
2 Solutions
 
stressedout2004Commented:
1) Where is the PIX 506 located? On the Remote site or HQ?
2) So when the VPN Client user gets connected to the HQ, you want the users on the HQ to be able to connect back to the VPN Client user and access the resources on the VPN Client user's PC. Correct? What particular resources do you want to access aside from printers (e.g shared folders, RDP, etc)

0
 
inteqAuthor Commented:
PIX 506 is located at HQ,Yes I want  the HQ Users to connect back to the VPN Client Users and the only resource which I want to access is printers connected to Clients Machines,so Users can send the print Jobs from HQ to be printed at remote site which is connected using Cisco VPN Client.

Thanks
0
 
prueconsultingCommented:
How is your acl configured for your VPN connections ?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
inteqAuthor Commented:
The ACL is open for everything for the local pool used to assign to the  remote  users .I only have problem to connect back from Network which is inside the pix to access the resources on the REmote Subnet which is connected using Cisco VPN Client.
0
 
inteqAuthor Commented:
Expertsssssssss...........

AnY Comment PLZZZZZZZZZZZ

ITS URGENT
0
 
prueconsultingCommented:
Create another entry within the same acl to allow traffic from the other network back .

Usually i have configured them like this without issue.

ie

access-list vpn-out permit ip 192.168.1.0 255.255.255.255 192.168.2.0 255.255.255.255
access-list vpn-out permit ip 192.168.2.0 255.255.255.255 192.168.1.0 255.255.255.255
0
 
inteqAuthor Commented:
The VPN Client gets an IP address when he is connected to PIX at HQ when he use Cisco VPN Client to connect.The connected client can access the resources in HQ without any problem but when users from HQ wants to acess the resources on the clients machines they can't get through.Even I can't Ping to the clients connnected using thier IP addresses which is given by PIX.

How I make my HQ users to connect back to resources shred at clients Network.

The above mentioned solution I tried but it doesn't seem to be working.Below is the PIX Script so if you can please specify where I should put these lines:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OyUlMbG6g3JRSjD3 encrypted
passwd OyUlMbG6g3JRSjD3 encrypted
hostname pix
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list abcvpn_splittunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_access_in remark
access-list inside_access_in permit udp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq pop3
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 any echo-reply
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq telnet
access-list outside_access_in remark
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit ip 192.168.17.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in permit tcp any host 203.125.127.210 eq smtp
access-list outside_access_in permit icmp any host 203.125.127.210
access-list inside_nat0_outbound permit ip any 192.168.17.0 255.255.255.0
access-list outside_cryptomap_dyn1 permit ip any 192.168.17.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 213.25.27.2 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnabc 192.168.17.1-192.168.17.30
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 192.168.17.0 255.255.255.0 outside
pdm history enable
arp timeout 18000
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 213.25.27.21 192.168.1.10 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.25.27.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:15:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:04:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_dyn1
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1800
vpngroup abcvpn address-pool vpnabc
vpngroup abcvpn dns-server 165.21.83.88 203.120.90.40
vpngroup abcvpn default-domain abc.com
vpngroup abcvpn split-tunnel apvpn_splittunnelAcl
vpngroup abcvpn idle-time 7200
vpngroup abcvpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:e06b851898cf3e01f3a014430526d34d
: end


PLease help as this is very urgent.

Thanks

Thanks
0
 
stressedout2004Commented:
Make the following changes on the PIX in the order that they appear:

access-list abcvpn_splittunnelAcl permit ip 192.168.1.0 255.255.255.0 192.168.17.0 255.255.255.0
no access-list abcvpn_splittunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.17.0 255.255.255.0
sysopt connection permit-ipsec
clear xlate

When this changes are applied, test the connection by first pinging the assigned IP address of the VPN Client users from the HQ. Once you can ping, you can try accessing the VPN client user's shares by means of their UNC. e.g \\192.168.17.x
0
 
inteqAuthor Commented:
Thanks A lot .....!!!!!!!

It worked ....\
Now I have 1 more question as know my network setup.my remote site is using ADSL Connection(Dynamic) to connect to internet & to headquaters.

If i deploy a Cisco 877 ADSL Router can I create a permanent VPN to Headquaters?

Thanks for you help.
0
 
stressedout2004Commented:
Yes you can. Just configure the HQ to accept dynamic point to point VPN connection and you will be all set..
0
 
inteqAuthor Commented:
How to do that?
0
 
inteqAuthor Commented:
How to do that?
0
 
inteqAuthor Commented:
How to do that?
0
 
inteqAuthor Commented:
How to do that?
0
 
inteqAuthor Commented:
How to do that?
0
 
inteqAuthor Commented:
How to do that?
0
 
inteqAuthor Commented:
How to do that?
0
 
inteqAuthor Commented:
How to do that?
0
 
inteqAuthor Commented:
How to do that?
0
 
inteqAuthor Commented:
How to do that?
0
 
stressedout2004Commented:
Assuming you have deployed the 877 Router and that the interal network
of the 877 is 192.168.2.0/24, you will need the following changes:

On the PIX:

isakmp key changeme address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
no crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_dyn1
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


On the 877 router:

crypto isakmp policy 10
 hash md5
 enc 3des
 group 2
 authentication pre-share

crypto isakmp key changeme address 213.25.27.2 no-xauth

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto map main_vpn 10 ipsec-isakmp  
 set peer 213.25.27.2
 set transform-set 3des
 match address 120

Then you need to apply the crypto map on the WAN interface. But pretty much, for the
VPN part, the above is all you need.




0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 15
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now