Solved

Cannot access a network using cisco vpn client from behind a firewall, connection ok, but no access to content on network

Posted on 2008-10-22
11
714 Views
Last Modified: 2012-06-27
I am having trouble connecting to a cisco vpn using client version 5.0.01.0600 from behind a firewall. The connection appears to connect and i am assigned an ip address, but i cannot browse to any ip addresses behind the firewall.

I am running vista on a pc in a SBS 2000 environment using the inbuilt software firewall and a binatone router.

I have opened ports 500 and 4500 on the router and the firewall as i read these were the ports the VPN client uses for traffic, but still no joy.

Any help or advice gratefully appreciated!
0
Comment
Question by:simplethinking
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 22775106
Hello simplethinking,

add the following linne to the config on the cisco firewall

crypto isakmp nat-traversal  20



Regards,

PeteLong
0
 

Author Comment

by:simplethinking
ID: 22775124
Thanks for the speedy response pete.

Unfortunately we do not have direct access to the firewall.

Is there anything we can do here to enable the connection??
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 22776345
I'm guessing the problem is NAT, short of moving outside of the firewall, theres not a lot you can do
0
 
LVL 16

Expert Comment

by:btassure
ID: 22780369
You could try going into the connection profile properties, then the transport tab and changing the tunneling to ipsec over tcp but I doubt it will work properly. PeteLong is correct that any changes to get it working will likely need to be done on the firewall. Have you got correct DNS servers etc?
0
 

Author Comment

by:simplethinking
ID: 22784755
Good morning,

I have done further testing.  The Cisco vpn software connects correctly, once the connection has been established I have tried:
- Pinging the ip address we are tring to reach and get an immediate time out response
- Tracert and this doesnt return anything and eventually times out

This would indicate the problem is an issue with all external IP requests being blocked by our firewall when the Cisco VPN software is active.

Thank you for time and patience,



0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 16

Expert Comment

by:btassure
ID: 22787756
If it is connected then it is almost certainly a configuration issue either on the servers at the VPN host end or the VPN head end firewall. The local firewall won't block the pings as they are encapsulated into the IPSEC traffic destined for the firewall. The local firewalls will only see encrypted IPSEC packets, not the pings.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 22790347
If a tunnle connect and no traffic passes 99% of the time the problem is NAT - either the Nat 0 command is missing on the Cisco, there is no ACL that matched that NAT 0 command or Nat-traversal has not been enabled
0
 

Author Comment

by:simplethinking
ID: 22830370
Hi PeteLong,

Thank you for answers.

 I can successfully connect and browse website on the VPN from my standard home internet ADSL internet connection.  Is the problem being caused by our firewall vs the home connection?
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 22832682
If you can connect and browse what is the problem m8?
0
 

Author Comment

by:simplethinking
ID: 22832773
Hi PeteLong,

As per the orginal post we can connect the vpn from inside our company network (on my laptop) however when we try to browse website hosted inside that network we get blocked at somepoint.

"The Cisco vpn software connects correctly, once the connection has been established I have tried:
- Pinging the ip address we are tring to reach and get an immediate time out response
- Tracert and this doesnt return anything and eventually times out"

If i connect to the vpn from home (on the same laptop) the vpn connects fine and I can browse the internal website without any problems.

The issue is we need the vpn and browsing to work from inside our network.
0
 
LVL 4

Expert Comment

by:Tachyon_1
ID: 25761120
I'm not sure why you would run the VPN when you are inside the network, but anyway...

Have you tried enabling the "Allow local LAN access" option from the Transport tab of the VPN client "modify configuration" menu?
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now