Solved

problems with VPN with Cisco PIX

Posted on 2006-07-12
13
598 Views
Last Modified: 2010-03-19
I currently have a Cisco PIX setup to VPN into work... but clearly, I've missed a step somewhere...

I am able to VPN into my domain , I get the welcome message, a second IP address that reflects what I would get at work, however, I can't ping anything or connect to the file server. (the local server IP, the file shares, etc...)

Any idea how I may be able to fix this?

Thanks!
0
Comment
Question by:mmanaigre
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +4
13 Comments
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096350
do you have ACL that do a no nat to the LAN of your network?
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096368
It may be a routing issue.  Is the pix the default router for the devices you which to reach at work?
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 17096389
I have had this problem wiht my VPN at many remote locations.  The problem has always been that the firewall at the remote end or the ISP does not allow USP encapsolation.  Without this you will get the connection (UDP traffic is used to create the connection), but when the client attempts to send TCP traffic thrugh the UDP tunnel (UDP encapsolation) the firewall blocks it.  First chekc any firewalls you have between the end user and the PIX, then have your clients check there firewalls or contact there ISP.

If your clients are in the US, most high speed ISP's allow UDP encapsolation on all typs of accounts.  If your clients are over seas many ISPs block UDP encapsolation on either personol accounts or dynamic IP accounts.

EB
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 23

Expert Comment

by:Erik Bjers
ID: 17096392
Alternetly you can use TCP VPN, not sure how to configure this on the PIX

eb
0
 

Author Comment

by:mmanaigre
ID: 17096459
Thanks for all the quick responses.. however, we're going to have to dummy up the answers a little bit... as a user stand point, what should i do.. please go easy on the techy terms....

To my understanding the firewall is properly setup... we had our Cisco guy come down and take a look... I don't have any software firewall running on my end, however I am going through a home linksys router...

UDP tunnel?? I don't quite get that...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17096484
One more thought; is there any chance your home network and the office network are using the same subnet? i.e. if the home network uses 192.168.0.x and the office uses the same subnet, you will experience problems as you have described.
0
 

Author Comment

by:mmanaigre
ID: 17096513


My home uses 192.168.1.x and my work uses 10.10.10.x
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 17096515
The way a vpn normaly works is:


               ****************UDP TRAFFIC***************  PIX

CLIENT      ----------------------TCP TRAFFIC----------------------           -------------- server

               ****************UDP TRAFFIC*************** PIX

Steps in comunication

1) the VPN client creats an encrypted UDP tunnel to the PIX
2) the traffic from the client to the server beyond the PIX is sent as TCP traffic thrugh the UPD tunnel that was created in step 1

All you want to know about UDP Encapsolation and beyond http://www.rfc-archive.org/getrfc.php?rfc=3948

What does this mean to you?  Not much if you are not a network admin.  Contact your ISP and make sure they are not blocking UDP encapsolation, and if they are find out if they can allow the traffic (you may need to upgrade to a buisness account)

If your PIX was setup by a CISCO rep then that end should be OK.  The Linksys router and any home software firewall should let UDP encapsolation pass (or atleast prompt you for what to do with it)  So the problem is more than likley with your ISP

eb
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17096555
Actually, you should get an IP address from the NAT pool on the PIX.  It shouldn't be the same as the address you would get connecting to the office LAN.  Can you post your PIX config?  Just change the public IP addresses for security before posting.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17096711
>> A Second ip address that I would get at work

This tells me that the ip pool configured at pix is the same as the internal network, this is not good.

You need to have configured on the pix not to nat the connections coming back to you, typically it would be like this;

access-list nonat permit ip <corporate ip> <netmask> <vpnassignedip> netmask

nat (inside) 0 access-list nonat

Have your cisco guy check this out, if possible configuration will tells us more.

Cheers,
Rajesh
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17097206
From a user point of view, I don't think there is much you can do.  You will need to know how the network is configured.  You will also need access to the pix configuration, in order to find out how its configured and fix any problems.  Any more info you could provide about the way your network is configured would be helpful.
0
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 500 total points
ID: 17098346
"This tells me that the ip pool configured at pix is the same as the internal network, this is not good."  I disagree.  When you connect to the VPN you want to get an IP in the same subnet as the network you are connecting to, otherwise you need routing.  If you are getting an IP "That I would Get a t work" that tells me you are getting an IP that is in the same subnet.

The whole focus of my job is VPN with CISCO equipment and all my clients get IP addresses in the same network/ subnet as my main network.

EVERY TIME I came across the problem you mentioned it was because a firewall between the end user and the VPN device (PIX in your case) was blocking UDP encapsolation.  More than likley this is on the ISP, call the ISP get a top level teck (one who knows what he's talking about) and ask if UDP encapsolation is allowed to pass, and if it's not how do you get it to pass (i.e. upgrade your account).

eb
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 17180563
Did you get it working?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting out for Cisco UCS 2 61
IPsec VPN - which encryption? 5 54
windows server 2012 R2 DHCP clustering ? 5 48
Internet testing device? 5 46
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question