Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco VPN 3005 Concentrator and Cisco Pix Problem

Posted on 2006-07-07
8
Medium Priority
?
502 Views
Last Modified: 2012-05-05
Hello,

This is my situation.. I have a pix firewall and VPN concentrator 3005.  Remote users use the Cisco vpn client.  They all connect fine, (little Pad lock appears in bottom right hand corner) but they cannot access any network resources..eg they cannot ping terminal server or there pc etc..

If i use the ssl method to connect to my concentrator that works fine.. and they can ping fine.

Please help! :-(

Phil
0
Comment
Question by:bigspoon1980
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 8

Expert Comment

by:photograffiti
ID: 17059430
When the remote users connect in, right-click on the padlock and look at encrypted and decrypted packets. If you see encrypted but no decrypted then something is going on at your Concentrator or beyond. Most likely some routing problems. In that case, get on your Concentratorand look at the VPN session under Administrative tab. Check to see if you're getting decrypts but not encrypts. That would mean you're receiving the VPN traffic and decrypting it but you are not getting valid traffic back to encryp. This would point to a routing problem. Then make sure your internal devices have a route to the subnet you've assigned to your VPN clients.
0
 

Author Comment

by:bigspoon1980
ID: 17064440
If it is a routing problem, then why does the ssl vpn work fine?  do think it may be my pix thats causing the problem?

kind regards,

phil
0
 

Author Comment

by:bigspoon1980
ID: 17064565
hello,

sorted it.. i think the group configuration was mis configured.  All i did is create a new group, and new user, that picked up fresh settings from the base group, and it worked fine.

I can now connect with the Cisco VPN client and ping my LAN
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 8

Expert Comment

by:photograffiti
ID: 17068555
That's great. I'm glad to hear it's working.
0
 

Author Comment

by:bigspoon1980
ID: 17068636
there is one thing i have noticed on though... On my pix i have 2 rules

outside any to inside any >1023 tcp
outside any to inside any >1023 udp

i dont really want those rules on there, as it opens up loads of ports like terminal services and vnc on my servers with external ip addresses.. but if i take them out, the vpn client can sucessfully connect, but the clients cannot see the lan (like the above problem)?

if someone can tell me, and provide a solution i will award the 500 points...

kind regards,

phil..
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 17068659
Well, since you're going through a PIX before you get to the Concentrator there is another possible reason why you're unable to pass traffic. You can form Phase 1 of an IPSec tunnel if you have ISAKMP open. But if you don't have ESP open then Phase 2 of IPSec won't work and that's the part where data actually flows. So there are a few things to make sure you have set up right.
On the PIX, all you should need opened are UDP port 4500 and the ESP protocol, which is just another protocol like UDP and TCP are.
   access-list 101 permit esp any any
   access-list 101 permit udp any any eq 4500
On the VPN client, make sure you choose Allow NAT Transparency or something to that affect.
Try that and remove your other ACLs and see if that works.
0
 

Author Comment

by:bigspoon1980
ID: 17071909
hello,

thanks for you help that worked.. i have successfully removed those ports..but i still have these poirts open on the firewall..

any any domain /udp

any any domain /tcp

what that make a difference if i removed them?

Kind Regards,

Phil
0
 
LVL 8

Accepted Solution

by:
photograffiti earned 2000 total points
ID: 17073445
Well, those ports you listed are just for DNS. If you don't have an internal DNS server then you shouldn't need that. You can remove it and everything should still work.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question