simplethinking
asked on
Cannot access a network using cisco vpn client from behind a firewall, connection ok, but no access to content on network
I am having trouble connecting to a cisco vpn using client version 5.0.01.0600 from behind a firewall. The connection appears to connect and i am assigned an ip address, but i cannot browse to any ip addresses behind the firewall.
I am running vista on a pc in a SBS 2000 environment using the inbuilt software firewall and a binatone router.
I have opened ports 500 and 4500 on the router and the firewall as i read these were the ports the VPN client uses for traffic, but still no joy.
Any help or advice gratefully appreciated!
I am running vista on a pc in a SBS 2000 environment using the inbuilt software firewall and a binatone router.
I have opened ports 500 and 4500 on the router and the firewall as i read these were the ports the VPN client uses for traffic, but still no joy.
Any help or advice gratefully appreciated!
ASKER
Thanks for the speedy response pete.
Unfortunately we do not have direct access to the firewall.
Is there anything we can do here to enable the connection??
Unfortunately we do not have direct access to the firewall.
Is there anything we can do here to enable the connection??
I'm guessing the problem is NAT, short of moving outside of the firewall, theres not a lot you can do
You could try going into the connection profile properties, then the transport tab and changing the tunneling to ipsec over tcp but I doubt it will work properly. PeteLong is correct that any changes to get it working will likely need to be done on the firewall. Have you got correct DNS servers etc?
ASKER
Good morning,
I have done further testing. The Cisco vpn software connects correctly, once the connection has been established I have tried:
- Pinging the ip address we are tring to reach and get an immediate time out response
- Tracert and this doesnt return anything and eventually times out
This would indicate the problem is an issue with all external IP requests being blocked by our firewall when the Cisco VPN software is active.
Thank you for time and patience,
I have done further testing. The Cisco vpn software connects correctly, once the connection has been established I have tried:
- Pinging the ip address we are tring to reach and get an immediate time out response
- Tracert and this doesnt return anything and eventually times out
This would indicate the problem is an issue with all external IP requests being blocked by our firewall when the Cisco VPN software is active.
Thank you for time and patience,
If it is connected then it is almost certainly a configuration issue either on the servers at the VPN host end or the VPN head end firewall. The local firewall won't block the pings as they are encapsulated into the IPSEC traffic destined for the firewall. The local firewalls will only see encrypted IPSEC packets, not the pings.
If a tunnle connect and no traffic passes 99% of the time the problem is NAT - either the Nat 0 command is missing on the Cisco, there is no ACL that matched that NAT 0 command or Nat-traversal has not been enabled
ASKER
Hi PeteLong,
Thank you for answers.
I can successfully connect and browse website on the VPN from my standard home internet ADSL internet connection. Is the problem being caused by our firewall vs the home connection?
Thank you for answers.
I can successfully connect and browse website on the VPN from my standard home internet ADSL internet connection. Is the problem being caused by our firewall vs the home connection?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi PeteLong,
As per the orginal post we can connect the vpn from inside our company network (on my laptop) however when we try to browse website hosted inside that network we get blocked at somepoint.
"The Cisco vpn software connects correctly, once the connection has been established I have tried:
- Pinging the ip address we are tring to reach and get an immediate time out response
- Tracert and this doesnt return anything and eventually times out"
If i connect to the vpn from home (on the same laptop) the vpn connects fine and I can browse the internal website without any problems.
The issue is we need the vpn and browsing to work from inside our network.
As per the orginal post we can connect the vpn from inside our company network (on my laptop) however when we try to browse website hosted inside that network we get blocked at somepoint.
"The Cisco vpn software connects correctly, once the connection has been established I have tried:
- Pinging the ip address we are tring to reach and get an immediate time out response
- Tracert and this doesnt return anything and eventually times out"
If i connect to the vpn from home (on the same laptop) the vpn connects fine and I can browse the internal website without any problems.
The issue is we need the vpn and browsing to work from inside our network.
I'm not sure why you would run the VPN when you are inside the network, but anyway...
Have you tried enabling the "Allow local LAN access" option from the Transport tab of the VPN client "modify configuration" menu?
Have you tried enabling the "Allow local LAN access" option from the Transport tab of the VPN client "modify configuration" menu?
add the following linne to the config on the cisco firewall
crypto isakmp nat-traversal 20
Regards,
PeteLong