Solved

Cisco VPN 3005 Concentrator and Cisco Pix Problem

Posted on 2006-07-07
8
438 Views
Last Modified: 2012-05-05
Hello,

This is my situation.. I have a pix firewall and VPN concentrator 3005.  Remote users use the Cisco vpn client.  They all connect fine, (little Pad lock appears in bottom right hand corner) but they cannot access any network resources..eg they cannot ping terminal server or there pc etc..

If i use the ssl method to connect to my concentrator that works fine.. and they can ping fine.

Please help! :-(

Phil
0
Comment
Question by:bigspoon1980
  • 4
  • 4
8 Comments
 
LVL 8

Expert Comment

by:photograffiti
Comment Utility
When the remote users connect in, right-click on the padlock and look at encrypted and decrypted packets. If you see encrypted but no decrypted then something is going on at your Concentrator or beyond. Most likely some routing problems. In that case, get on your Concentratorand look at the VPN session under Administrative tab. Check to see if you're getting decrypts but not encrypts. That would mean you're receiving the VPN traffic and decrypting it but you are not getting valid traffic back to encryp. This would point to a routing problem. Then make sure your internal devices have a route to the subnet you've assigned to your VPN clients.
0
 

Author Comment

by:bigspoon1980
Comment Utility
If it is a routing problem, then why does the ssl vpn work fine?  do think it may be my pix thats causing the problem?

kind regards,

phil
0
 

Author Comment

by:bigspoon1980
Comment Utility
hello,

sorted it.. i think the group configuration was mis configured.  All i did is create a new group, and new user, that picked up fresh settings from the base group, and it worked fine.

I can now connect with the Cisco VPN client and ping my LAN
0
 
LVL 8

Expert Comment

by:photograffiti
Comment Utility
That's great. I'm glad to hear it's working.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:bigspoon1980
Comment Utility
there is one thing i have noticed on though... On my pix i have 2 rules

outside any to inside any >1023 tcp
outside any to inside any >1023 udp

i dont really want those rules on there, as it opens up loads of ports like terminal services and vnc on my servers with external ip addresses.. but if i take them out, the vpn client can sucessfully connect, but the clients cannot see the lan (like the above problem)?

if someone can tell me, and provide a solution i will award the 500 points...

kind regards,

phil..
0
 
LVL 8

Expert Comment

by:photograffiti
Comment Utility
Well, since you're going through a PIX before you get to the Concentrator there is another possible reason why you're unable to pass traffic. You can form Phase 1 of an IPSec tunnel if you have ISAKMP open. But if you don't have ESP open then Phase 2 of IPSec won't work and that's the part where data actually flows. So there are a few things to make sure you have set up right.
On the PIX, all you should need opened are UDP port 4500 and the ESP protocol, which is just another protocol like UDP and TCP are.
   access-list 101 permit esp any any
   access-list 101 permit udp any any eq 4500
On the VPN client, make sure you choose Allow NAT Transparency or something to that affect.
Try that and remove your other ACLs and see if that works.
0
 

Author Comment

by:bigspoon1980
Comment Utility
hello,

thanks for you help that worked.. i have successfully removed those ports..but i still have these poirts open on the firewall..

any any domain /udp

any any domain /tcp

what that make a difference if i removed them?

Kind Regards,

Phil
0
 
LVL 8

Accepted Solution

by:
photograffiti earned 500 total points
Comment Utility
Well, those ports you listed are just for DNS. If you don't have an internal DNS server then you shouldn't need that. You can remove it and everything should still work.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now