Cisco VPN 3005 Concentrator and Cisco Pix Problem

Hello,

This is my situation.. I have a pix firewall and VPN concentrator 3005.  Remote users use the Cisco vpn client.  They all connect fine, (little Pad lock appears in bottom right hand corner) but they cannot access any network resources..eg they cannot ping terminal server or there pc etc..

If i use the ssl method to connect to my concentrator that works fine.. and they can ping fine.

Please help! :-(

Phil
bigspoon1980Asked:
Who is Participating?
 
photograffitiConnect With a Mentor Commented:
Well, those ports you listed are just for DNS. If you don't have an internal DNS server then you shouldn't need that. You can remove it and everything should still work.
0
 
photograffitiCommented:
When the remote users connect in, right-click on the padlock and look at encrypted and decrypted packets. If you see encrypted but no decrypted then something is going on at your Concentrator or beyond. Most likely some routing problems. In that case, get on your Concentratorand look at the VPN session under Administrative tab. Check to see if you're getting decrypts but not encrypts. That would mean you're receiving the VPN traffic and decrypting it but you are not getting valid traffic back to encryp. This would point to a routing problem. Then make sure your internal devices have a route to the subnet you've assigned to your VPN clients.
0
 
bigspoon1980Author Commented:
If it is a routing problem, then why does the ssl vpn work fine?  do think it may be my pix thats causing the problem?

kind regards,

phil
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
bigspoon1980Author Commented:
hello,

sorted it.. i think the group configuration was mis configured.  All i did is create a new group, and new user, that picked up fresh settings from the base group, and it worked fine.

I can now connect with the Cisco VPN client and ping my LAN
0
 
photograffitiCommented:
That's great. I'm glad to hear it's working.
0
 
bigspoon1980Author Commented:
there is one thing i have noticed on though... On my pix i have 2 rules

outside any to inside any >1023 tcp
outside any to inside any >1023 udp

i dont really want those rules on there, as it opens up loads of ports like terminal services and vnc on my servers with external ip addresses.. but if i take them out, the vpn client can sucessfully connect, but the clients cannot see the lan (like the above problem)?

if someone can tell me, and provide a solution i will award the 500 points...

kind regards,

phil..
0
 
photograffitiCommented:
Well, since you're going through a PIX before you get to the Concentrator there is another possible reason why you're unable to pass traffic. You can form Phase 1 of an IPSec tunnel if you have ISAKMP open. But if you don't have ESP open then Phase 2 of IPSec won't work and that's the part where data actually flows. So there are a few things to make sure you have set up right.
On the PIX, all you should need opened are UDP port 4500 and the ESP protocol, which is just another protocol like UDP and TCP are.
   access-list 101 permit esp any any
   access-list 101 permit udp any any eq 4500
On the VPN client, make sure you choose Allow NAT Transparency or something to that affect.
Try that and remove your other ACLs and see if that works.
0
 
bigspoon1980Author Commented:
hello,

thanks for you help that worked.. i have successfully removed those ports..but i still have these poirts open on the firewall..

any any domain /udp

any any domain /tcp

what that make a difference if i removed them?

Kind Regards,

Phil
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.