Solved

How to solve a VPN configuration problem?

Posted on 2009-04-01
11
206 Views
Last Modified: 2012-05-06
I have a wireless router behind a firewall trying to establish connection to outside network with VPN client. The VPN Client authenticates and connects to outside network but cannot remote desktop any system once the connection is established. I can remote desktop to any system if I bypass the firewall. Inside address range at both locations is 192.168.x.x. Any suggestions?
0
Comment
Question by:dyoung22
11 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24039101
Its safe to assume that the firewall at your location is the cause of the issue.  However, it makes little sense that the firewall would allow the tunnel to build, but then deny traffic on the tunnel for 1 specific port since the traffic from your machine is already protected.    

Just to clarify, you are using a client on a PC and not using the firewall for a site to site VPN.  Correct?  

What client are you using and to which firewall model are you connecting?   Cisco? Sonicwall? Other?  

0
 

Expert Comment

by:oncalltech
ID: 24039147
I think the issue is your 192.168.  I assume you are using a 24 bit subnet, so the third octet is needed here. If they are the same how is your vpn connecting?  Is your firewall also your router?  Please provide more detail on your configuration.  Also is the remote desktop trying to connect and failing?  Have you checked your routers MTU?
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 24039755
I think oncalltech is right......if you are using the same subnet at the remote and local ends of the connection this is likely to be the root cause of the problem.  In order to route traffic over a VPN, both sides of the network need to have distinctive address ranges...
0
 

Author Comment

by:dyoung22
ID: 24040345
Thanks for the comments! Sorry for the delay but being new to EE I wasn't clear on how to reply. I was leaning toward the duplicate subnet as being the problem so I'm going to restructure the home network and give it another shot. FYI... wireless router is separate and behind the firewall. I'll set static IP inside (10.x.x.x) on firewall and establish as DHCP server. Will keep you updated and post the configuration if problem persists after the change.
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 24040438
No worries :)

Let us know how you get on!
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:dyoung22
ID: 24045909
OK... Setup network as a 10.x.x.x network wiping the firewall clean and starting over. Same results... The VPN Client connects but can't access network. I connect PC directly to DSL router and I'm able to access just fine. I'm missing something on the firewall configuration so if you guys can take a look at the attached I would appreciate it.

eepix.txt
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24059144
The problem is with IPSEC and NAT.  NAT-Traversal (NAT-T) needs to be enabled on the headend VPN server (not your PIX).  If whoever manages the VPN server won't enable NAT-T, you can do the following on your PIX as a workaround.

conf t
fixup protocol esp-ike
access-list outside_access_in permit esp any any
access-group outside_access_in in interface outside
0
 

Author Comment

by:dyoung22
ID: 24059395
Thanks... I'll check the VPN server for NAT-T and establish the workaround this evening if necessary. Stay tuned.
0
 

Author Comment

by:dyoung22
ID: 24067483
NAT-T was already enabled on the headend so I enabled ESP on my end and was successful accessing network resources. Thanks for all the input.
0
 

Author Closing Comment

by:dyoung22
ID: 31565295
JFrederick29... although NAT-T was already enabled on the headend, enabling ESP was right on at my end. Thanks for the solution!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now