Solved

Cisco VPN 3005 Concentrator and Cisco Pix Problem

Posted on 2006-07-07
8
461 Views
Last Modified: 2012-05-05
Hello,

This is my situation.. I have a pix firewall and VPN concentrator 3005.  Remote users use the Cisco vpn client.  They all connect fine, (little Pad lock appears in bottom right hand corner) but they cannot access any network resources..eg they cannot ping terminal server or there pc etc..

If i use the ssl method to connect to my concentrator that works fine.. and they can ping fine.

Please help! :-(

Phil
0
Comment
Question by:bigspoon1980
  • 4
  • 4
8 Comments
 
LVL 8

Expert Comment

by:photograffiti
ID: 17059430
When the remote users connect in, right-click on the padlock and look at encrypted and decrypted packets. If you see encrypted but no decrypted then something is going on at your Concentrator or beyond. Most likely some routing problems. In that case, get on your Concentratorand look at the VPN session under Administrative tab. Check to see if you're getting decrypts but not encrypts. That would mean you're receiving the VPN traffic and decrypting it but you are not getting valid traffic back to encryp. This would point to a routing problem. Then make sure your internal devices have a route to the subnet you've assigned to your VPN clients.
0
 

Author Comment

by:bigspoon1980
ID: 17064440
If it is a routing problem, then why does the ssl vpn work fine?  do think it may be my pix thats causing the problem?

kind regards,

phil
0
 

Author Comment

by:bigspoon1980
ID: 17064565
hello,

sorted it.. i think the group configuration was mis configured.  All i did is create a new group, and new user, that picked up fresh settings from the base group, and it worked fine.

I can now connect with the Cisco VPN client and ping my LAN
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 8

Expert Comment

by:photograffiti
ID: 17068555
That's great. I'm glad to hear it's working.
0
 

Author Comment

by:bigspoon1980
ID: 17068636
there is one thing i have noticed on though... On my pix i have 2 rules

outside any to inside any >1023 tcp
outside any to inside any >1023 udp

i dont really want those rules on there, as it opens up loads of ports like terminal services and vnc on my servers with external ip addresses.. but if i take them out, the vpn client can sucessfully connect, but the clients cannot see the lan (like the above problem)?

if someone can tell me, and provide a solution i will award the 500 points...

kind regards,

phil..
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 17068659
Well, since you're going through a PIX before you get to the Concentrator there is another possible reason why you're unable to pass traffic. You can form Phase 1 of an IPSec tunnel if you have ISAKMP open. But if you don't have ESP open then Phase 2 of IPSec won't work and that's the part where data actually flows. So there are a few things to make sure you have set up right.
On the PIX, all you should need opened are UDP port 4500 and the ESP protocol, which is just another protocol like UDP and TCP are.
   access-list 101 permit esp any any
   access-list 101 permit udp any any eq 4500
On the VPN client, make sure you choose Allow NAT Transparency or something to that affect.
Try that and remove your other ACLs and see if that works.
0
 

Author Comment

by:bigspoon1980
ID: 17071909
hello,

thanks for you help that worked.. i have successfully removed those ports..but i still have these poirts open on the firewall..

any any domain /udp

any any domain /tcp

what that make a difference if i removed them?

Kind Regards,

Phil
0
 
LVL 8

Accepted Solution

by:
photograffiti earned 500 total points
ID: 17073445
Well, those ports you listed are just for DNS. If you don't have an internal DNS server then you shouldn't need that. You can remove it and everything should still work.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question