?
Solved

problems with VPN with Cisco PIX

Posted on 2006-07-12
13
Medium Priority
?
609 Views
Last Modified: 2010-03-19
I currently have a Cisco PIX setup to VPN into work... but clearly, I've missed a step somewhere...

I am able to VPN into my domain , I get the welcome message, a second IP address that reflects what I would get at work, however, I can't ping anything or connect to the file server. (the local server IP, the file shares, etc...)

Any idea how I may be able to fix this?

Thanks!
0
Comment
Question by:mmanaigre
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +4
13 Comments
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096350
do you have ACL that do a no nat to the LAN of your network?
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096368
It may be a routing issue.  Is the pix the default router for the devices you which to reach at work?
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 17096389
I have had this problem wiht my VPN at many remote locations.  The problem has always been that the firewall at the remote end or the ISP does not allow USP encapsolation.  Without this you will get the connection (UDP traffic is used to create the connection), but when the client attempts to send TCP traffic thrugh the UDP tunnel (UDP encapsolation) the firewall blocks it.  First chekc any firewalls you have between the end user and the PIX, then have your clients check there firewalls or contact there ISP.

If your clients are in the US, most high speed ISP's allow UDP encapsolation on all typs of accounts.  If your clients are over seas many ISPs block UDP encapsolation on either personol accounts or dynamic IP accounts.

EB
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 23

Expert Comment

by:Erik Bjers
ID: 17096392
Alternetly you can use TCP VPN, not sure how to configure this on the PIX

eb
0
 

Author Comment

by:mmanaigre
ID: 17096459
Thanks for all the quick responses.. however, we're going to have to dummy up the answers a little bit... as a user stand point, what should i do.. please go easy on the techy terms....

To my understanding the firewall is properly setup... we had our Cisco guy come down and take a look... I don't have any software firewall running on my end, however I am going through a home linksys router...

UDP tunnel?? I don't quite get that...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17096484
One more thought; is there any chance your home network and the office network are using the same subnet? i.e. if the home network uses 192.168.0.x and the office uses the same subnet, you will experience problems as you have described.
0
 

Author Comment

by:mmanaigre
ID: 17096513


My home uses 192.168.1.x and my work uses 10.10.10.x
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 17096515
The way a vpn normaly works is:


               ****************UDP TRAFFIC***************  PIX

CLIENT      ----------------------TCP TRAFFIC----------------------           -------------- server

               ****************UDP TRAFFIC*************** PIX

Steps in comunication

1) the VPN client creats an encrypted UDP tunnel to the PIX
2) the traffic from the client to the server beyond the PIX is sent as TCP traffic thrugh the UPD tunnel that was created in step 1

All you want to know about UDP Encapsolation and beyond http://www.rfc-archive.org/getrfc.php?rfc=3948

What does this mean to you?  Not much if you are not a network admin.  Contact your ISP and make sure they are not blocking UDP encapsolation, and if they are find out if they can allow the traffic (you may need to upgrade to a buisness account)

If your PIX was setup by a CISCO rep then that end should be OK.  The Linksys router and any home software firewall should let UDP encapsolation pass (or atleast prompt you for what to do with it)  So the problem is more than likley with your ISP

eb
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17096555
Actually, you should get an IP address from the NAT pool on the PIX.  It shouldn't be the same as the address you would get connecting to the office LAN.  Can you post your PIX config?  Just change the public IP addresses for security before posting.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17096711
>> A Second ip address that I would get at work

This tells me that the ip pool configured at pix is the same as the internal network, this is not good.

You need to have configured on the pix not to nat the connections coming back to you, typically it would be like this;

access-list nonat permit ip <corporate ip> <netmask> <vpnassignedip> netmask

nat (inside) 0 access-list nonat

Have your cisco guy check this out, if possible configuration will tells us more.

Cheers,
Rajesh
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17097206
From a user point of view, I don't think there is much you can do.  You will need to know how the network is configured.  You will also need access to the pix configuration, in order to find out how its configured and fix any problems.  Any more info you could provide about the way your network is configured would be helpful.
0
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 1500 total points
ID: 17098346
"This tells me that the ip pool configured at pix is the same as the internal network, this is not good."  I disagree.  When you connect to the VPN you want to get an IP in the same subnet as the network you are connecting to, otherwise you need routing.  If you are getting an IP "That I would Get a t work" that tells me you are getting an IP that is in the same subnet.

The whole focus of my job is VPN with CISCO equipment and all my clients get IP addresses in the same network/ subnet as my main network.

EVERY TIME I came across the problem you mentioned it was because a firewall between the end user and the VPN device (PIX in your case) was blocking UDP encapsolation.  More than likley this is on the ISP, call the ISP get a top level teck (one who knows what he's talking about) and ask if UDP encapsolation is allowed to pass, and if it's not how do you get it to pass (i.e. upgrade your account).

eb
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 17180563
Did you get it working?
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month13 days, 15 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question