[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco VPN Client - connect to VPN but can't ping/telnet

Posted on 2006-06-06
10
Medium Priority
?
1,922 Views
Last Modified: 2013-11-16
We use the Cisco client to connect to our clients' VPNs from our office.  All the VPN connections are working except for one, lets call it ABC.  

When I connect to ABC from home it works fine.  I am able to connect, it assigns me an ip, creates a route in the route print table to the network I need to get to and it allows me to ping and telnet to a computer I need to get to.

When I connect to ABC from the office, I am able to connect to the vpn, it assigns me an ip, creates a route to the network I need to get to BUT when I try to ping or telnet to the computer I need to get to, it times out.  When I do a traceroute it goes no where.  

I'm assuming the PIX firewall we have at the office is causing the problem but I have no idea what ports I need to open or what other configs I need to modify to get this thing to work.  ABC is the only connection that doesn't work, all other VPN connections with the Cisco client work fine.  This is what is confusing me.

Any ideas? Any help is appreciated.  

0
Comment
Question by:parmjit80
  • 3
  • 2
  • 2
7 Comments
 

Author Comment

by:parmjit80
ID: 16846517
I found these links....

http://www.experts-exchange.com/Security/Firewalls/Q_21596778.html
http://www.experts-exchange.com/Security/Firewalls/Q_20737333.html

These are exactly the same problem I have.  The Nat-traversal setting, does that have to enabled on the vpn server or on the client firewall or both?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 16846827
isakmp nat-traversal 20
must be applied to the PIX Firewall, not the client. It enables the pix and the client to talk to each other and recognize that there is a nat device in between them and to work anyway.

>When I connect to ABC from the office, I am able to connect to the vpn, it assigns me an ip, creates a route to the network I need to get to BUT when I try to ping or telnet to the computer I need to get to, it times out.  When I do a traceroute it goes no where.  
What is the IP Subnet at ABC that you are trying to reach? What is the IP subnet that is assigned to your client? What is your IP subnet at the office? Do any of the three overlap?
0
 

Author Comment

by:parmjit80
ID: 16846981


VPN Server  <--------->  Internet <------->  PIX Firewall  <---------> Cisco vpn client


So I have to enable it on the PIX Firewall?  Does it also need to be enabled on the VPN Server?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 79

Expert Comment

by:lrmoore
ID: 16847752
Yes, you have to enable it on the PIX *and* allow nat transparency on the VPN server.
What is the VPN server?
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 16901832
moore,

I have a word to say here...parmjit says he is getting the ip....hence tunnel seems to be up....will this really help him??
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 16901870
Also as he says, its the problem with only one particular user!!!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16902015
Yes. It is just the way VPN works from behind a NAT device (his PIX)
PIX must allow nat-travrsal
remote VPN server must also allow nat-traversal to communicate with a client behind a NAT device like the PIX
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month19 days, 11 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question