?
Solved

Cisco VPN 3005 Concentrator and Cisco Pix Problem

Posted on 2006-07-07
8
Medium Priority
?
505 Views
Last Modified: 2012-05-05
Hello,

This is my situation.. I have a pix firewall and VPN concentrator 3005.  Remote users use the Cisco vpn client.  They all connect fine, (little Pad lock appears in bottom right hand corner) but they cannot access any network resources..eg they cannot ping terminal server or there pc etc..

If i use the ssl method to connect to my concentrator that works fine.. and they can ping fine.

Please help! :-(

Phil
0
Comment
Question by:bigspoon1980
  • 4
  • 4
8 Comments
 
LVL 8

Expert Comment

by:photograffiti
ID: 17059430
When the remote users connect in, right-click on the padlock and look at encrypted and decrypted packets. If you see encrypted but no decrypted then something is going on at your Concentrator or beyond. Most likely some routing problems. In that case, get on your Concentratorand look at the VPN session under Administrative tab. Check to see if you're getting decrypts but not encrypts. That would mean you're receiving the VPN traffic and decrypting it but you are not getting valid traffic back to encryp. This would point to a routing problem. Then make sure your internal devices have a route to the subnet you've assigned to your VPN clients.
0
 

Author Comment

by:bigspoon1980
ID: 17064440
If it is a routing problem, then why does the ssl vpn work fine?  do think it may be my pix thats causing the problem?

kind regards,

phil
0
 

Author Comment

by:bigspoon1980
ID: 17064565
hello,

sorted it.. i think the group configuration was mis configured.  All i did is create a new group, and new user, that picked up fresh settings from the base group, and it worked fine.

I can now connect with the Cisco VPN client and ping my LAN
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 8

Expert Comment

by:photograffiti
ID: 17068555
That's great. I'm glad to hear it's working.
0
 

Author Comment

by:bigspoon1980
ID: 17068636
there is one thing i have noticed on though... On my pix i have 2 rules

outside any to inside any >1023 tcp
outside any to inside any >1023 udp

i dont really want those rules on there, as it opens up loads of ports like terminal services and vnc on my servers with external ip addresses.. but if i take them out, the vpn client can sucessfully connect, but the clients cannot see the lan (like the above problem)?

if someone can tell me, and provide a solution i will award the 500 points...

kind regards,

phil..
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 17068659
Well, since you're going through a PIX before you get to the Concentrator there is another possible reason why you're unable to pass traffic. You can form Phase 1 of an IPSec tunnel if you have ISAKMP open. But if you don't have ESP open then Phase 2 of IPSec won't work and that's the part where data actually flows. So there are a few things to make sure you have set up right.
On the PIX, all you should need opened are UDP port 4500 and the ESP protocol, which is just another protocol like UDP and TCP are.
   access-list 101 permit esp any any
   access-list 101 permit udp any any eq 4500
On the VPN client, make sure you choose Allow NAT Transparency or something to that affect.
Try that and remove your other ACLs and see if that works.
0
 

Author Comment

by:bigspoon1980
ID: 17071909
hello,

thanks for you help that worked.. i have successfully removed those ports..but i still have these poirts open on the firewall..

any any domain /udp

any any domain /tcp

what that make a difference if i removed them?

Kind Regards,

Phil
0
 
LVL 8

Accepted Solution

by:
photograffiti earned 2000 total points
ID: 17073445
Well, those ports you listed are just for DNS. If you don't have an internal DNS server then you shouldn't need that. You can remove it and everything should still work.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question