• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 619
  • Last Modified:

problems with VPN with Cisco PIX

I currently have a Cisco PIX setup to VPN into work... but clearly, I've missed a step somewhere...

I am able to VPN into my domain , I get the welcome message, a second IP address that reflects what I would get at work, however, I can't ping anything or connect to the file server. (the local server IP, the file shares, etc...)

Any idea how I may be able to fix this?

Thanks!
0
mmanaigre
Asked:
mmanaigre
  • 5
  • 2
  • 2
  • +4
1 Solution
 
Scotty_ciscoCommented:
do you have ACL that do a no nat to the LAN of your network?
0
 
just-one-itCommented:
It may be a routing issue.  Is the pix the default router for the devices you which to reach at work?
0
 
Erik BjersPrincipal Systems AdministratorCommented:
I have had this problem wiht my VPN at many remote locations.  The problem has always been that the firewall at the remote end or the ISP does not allow USP encapsolation.  Without this you will get the connection (UDP traffic is used to create the connection), but when the client attempts to send TCP traffic thrugh the UDP tunnel (UDP encapsolation) the firewall blocks it.  First chekc any firewalls you have between the end user and the PIX, then have your clients check there firewalls or contact there ISP.

If your clients are in the US, most high speed ISP's allow UDP encapsolation on all typs of accounts.  If your clients are over seas many ISPs block UDP encapsolation on either personol accounts or dynamic IP accounts.

EB
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Erik BjersPrincipal Systems AdministratorCommented:
Alternetly you can use TCP VPN, not sure how to configure this on the PIX

eb
0
 
mmanaigreAuthor Commented:
Thanks for all the quick responses.. however, we're going to have to dummy up the answers a little bit... as a user stand point, what should i do.. please go easy on the techy terms....

To my understanding the firewall is properly setup... we had our Cisco guy come down and take a look... I don't have any software firewall running on my end, however I am going through a home linksys router...

UDP tunnel?? I don't quite get that...
0
 
Rob WilliamsCommented:
One more thought; is there any chance your home network and the office network are using the same subnet? i.e. if the home network uses 192.168.0.x and the office uses the same subnet, you will experience problems as you have described.
0
 
mmanaigreAuthor Commented:


My home uses 192.168.1.x and my work uses 10.10.10.x
0
 
Erik BjersPrincipal Systems AdministratorCommented:
The way a vpn normaly works is:


               ****************UDP TRAFFIC***************  PIX

CLIENT      ----------------------TCP TRAFFIC----------------------           -------------- server

               ****************UDP TRAFFIC*************** PIX

Steps in comunication

1) the VPN client creats an encrypted UDP tunnel to the PIX
2) the traffic from the client to the server beyond the PIX is sent as TCP traffic thrugh the UPD tunnel that was created in step 1

All you want to know about UDP Encapsolation and beyond http://www.rfc-archive.org/getrfc.php?rfc=3948

What does this mean to you?  Not much if you are not a network admin.  Contact your ISP and make sure they are not blocking UDP encapsolation, and if they are find out if they can allow the traffic (you may need to upgrade to a buisness account)

If your PIX was setup by a CISCO rep then that end should be OK.  The Linksys router and any home software firewall should let UDP encapsolation pass (or atleast prompt you for what to do with it)  So the problem is more than likley with your ISP

eb
0
 
Rick HobbsRETIREDCommented:
Actually, you should get an IP address from the NAT pool on the PIX.  It shouldn't be the same as the address you would get connecting to the office LAN.  Can you post your PIX config?  Just change the public IP addresses for security before posting.
0
 
rsivanandanCommented:
>> A Second ip address that I would get at work

This tells me that the ip pool configured at pix is the same as the internal network, this is not good.

You need to have configured on the pix not to nat the connections coming back to you, typically it would be like this;

access-list nonat permit ip <corporate ip> <netmask> <vpnassignedip> netmask

nat (inside) 0 access-list nonat

Have your cisco guy check this out, if possible configuration will tells us more.

Cheers,
Rajesh
0
 
just-one-itCommented:
From a user point of view, I don't think there is much you can do.  You will need to know how the network is configured.  You will also need access to the pix configuration, in order to find out how its configured and fix any problems.  Any more info you could provide about the way your network is configured would be helpful.
0
 
Erik BjersPrincipal Systems AdministratorCommented:
"This tells me that the ip pool configured at pix is the same as the internal network, this is not good."  I disagree.  When you connect to the VPN you want to get an IP in the same subnet as the network you are connecting to, otherwise you need routing.  If you are getting an IP "That I would Get a t work" that tells me you are getting an IP that is in the same subnet.

The whole focus of my job is VPN with CISCO equipment and all my clients get IP addresses in the same network/ subnet as my main network.

EVERY TIME I came across the problem you mentioned it was because a firewall between the end user and the VPN device (PIX in your case) was blocking UDP encapsolation.  More than likley this is on the ISP, call the ISP get a top level teck (one who knows what he's talking about) and ask if UDP encapsolation is allowed to pass, and if it's not how do you get it to pass (i.e. upgrade your account).

eb
0
 
Erik BjersPrincipal Systems AdministratorCommented:
Did you get it working?
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now