Solved

problems with VPN with Cisco PIX

Posted on 2006-07-12
13
580 Views
Last Modified: 2010-03-19
I currently have a Cisco PIX setup to VPN into work... but clearly, I've missed a step somewhere...

I am able to VPN into my domain , I get the welcome message, a second IP address that reflects what I would get at work, however, I can't ping anything or connect to the file server. (the local server IP, the file shares, etc...)

Any idea how I may be able to fix this?

Thanks!
0
Comment
Question by:mmanaigre
  • 5
  • 2
  • 2
  • +4
13 Comments
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
do you have ACL that do a no nat to the LAN of your network?
0
 
LVL 2

Expert Comment

by:just-one-it
Comment Utility
It may be a routing issue.  Is the pix the default router for the devices you which to reach at work?
0
 
LVL 23

Expert Comment

by:Erik Bjers
Comment Utility
I have had this problem wiht my VPN at many remote locations.  The problem has always been that the firewall at the remote end or the ISP does not allow USP encapsolation.  Without this you will get the connection (UDP traffic is used to create the connection), but when the client attempts to send TCP traffic thrugh the UDP tunnel (UDP encapsolation) the firewall blocks it.  First chekc any firewalls you have between the end user and the PIX, then have your clients check there firewalls or contact there ISP.

If your clients are in the US, most high speed ISP's allow UDP encapsolation on all typs of accounts.  If your clients are over seas many ISPs block UDP encapsolation on either personol accounts or dynamic IP accounts.

EB
0
 
LVL 23

Expert Comment

by:Erik Bjers
Comment Utility
Alternetly you can use TCP VPN, not sure how to configure this on the PIX

eb
0
 

Author Comment

by:mmanaigre
Comment Utility
Thanks for all the quick responses.. however, we're going to have to dummy up the answers a little bit... as a user stand point, what should i do.. please go easy on the techy terms....

To my understanding the firewall is properly setup... we had our Cisco guy come down and take a look... I don't have any software firewall running on my end, however I am going through a home linksys router...

UDP tunnel?? I don't quite get that...
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
One more thought; is there any chance your home network and the office network are using the same subnet? i.e. if the home network uses 192.168.0.x and the office uses the same subnet, you will experience problems as you have described.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:mmanaigre
Comment Utility


My home uses 192.168.1.x and my work uses 10.10.10.x
0
 
LVL 23

Expert Comment

by:Erik Bjers
Comment Utility
The way a vpn normaly works is:


               ****************UDP TRAFFIC***************  PIX

CLIENT      ----------------------TCP TRAFFIC----------------------           -------------- server

               ****************UDP TRAFFIC*************** PIX

Steps in comunication

1) the VPN client creats an encrypted UDP tunnel to the PIX
2) the traffic from the client to the server beyond the PIX is sent as TCP traffic thrugh the UPD tunnel that was created in step 1

All you want to know about UDP Encapsolation and beyond http://www.rfc-archive.org/getrfc.php?rfc=3948

What does this mean to you?  Not much if you are not a network admin.  Contact your ISP and make sure they are not blocking UDP encapsolation, and if they are find out if they can allow the traffic (you may need to upgrade to a buisness account)

If your PIX was setup by a CISCO rep then that end should be OK.  The Linksys router and any home software firewall should let UDP encapsolation pass (or atleast prompt you for what to do with it)  So the problem is more than likley with your ISP

eb
0
 
LVL 22

Expert Comment

by:rickhobbs
Comment Utility
Actually, you should get an IP address from the NAT pool on the PIX.  It shouldn't be the same as the address you would get connecting to the office LAN.  Can you post your PIX config?  Just change the public IP addresses for security before posting.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
>> A Second ip address that I would get at work

This tells me that the ip pool configured at pix is the same as the internal network, this is not good.

You need to have configured on the pix not to nat the connections coming back to you, typically it would be like this;

access-list nonat permit ip <corporate ip> <netmask> <vpnassignedip> netmask

nat (inside) 0 access-list nonat

Have your cisco guy check this out, if possible configuration will tells us more.

Cheers,
Rajesh
0
 
LVL 2

Expert Comment

by:just-one-it
Comment Utility
From a user point of view, I don't think there is much you can do.  You will need to know how the network is configured.  You will also need access to the pix configuration, in order to find out how its configured and fix any problems.  Any more info you could provide about the way your network is configured would be helpful.
0
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 500 total points
Comment Utility
"This tells me that the ip pool configured at pix is the same as the internal network, this is not good."  I disagree.  When you connect to the VPN you want to get an IP in the same subnet as the network you are connecting to, otherwise you need routing.  If you are getting an IP "That I would Get a t work" that tells me you are getting an IP that is in the same subnet.

The whole focus of my job is VPN with CISCO equipment and all my clients get IP addresses in the same network/ subnet as my main network.

EVERY TIME I came across the problem you mentioned it was because a firewall between the end user and the VPN device (PIX in your case) was blocking UDP encapsolation.  More than likley this is on the ISP, call the ISP get a top level teck (one who knows what he's talking about) and ask if UDP encapsolation is allowed to pass, and if it's not how do you get it to pass (i.e. upgrade your account).

eb
0
 
LVL 23

Expert Comment

by:Erik Bjers
Comment Utility
Did you get it working?
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Screen Recorder Recommendations 10 52
FTP output from Wireshak 6 46
Network Config 9 51
Cisco VSS or VCP on GNS3 or IOU 3 22
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now