Cisco VPN Client 4.04 Rel to a PIX 506E connects, but no traffic

Discussion in 'Cisco' started by GlenMorgan, Feb 14, 2005.

  1. GlenMorgan

    GlenMorgan Guest

    I configured a PIX 506E w/ v6.3 PixOS. I can connect just fine however,
    I cannot see anything at all on the inside network. Here's my relavant
    config:


    access-list nonatinside permit ip 192.168.20.0 255.255.255.0
    192.168.21.0 255.255.255.0
    !
    ip local pool clientpool 192.168.21.10-192.168.21.25
    !
    sysopt connection permit-ipsec
    crypto ipsec transform-set a-transform esp-3des esp-md5-hmac
    crypto dynamic-map mydynmap 10 set transform-set a-transform
    crypto map mymap 10 ipsec-isakmp dynamic mydynmap
    !
    isakmp policy 10 lifetime 86400
    vpngroup testlogin address-pool clientpool
    vpngroup testlogin dns-server 192.168.20.3 192.168.20.4
    vpngroup testlogin default-domain mydomain.com
    vpngroup testlogin split-tunnel nonatinside
    vpngroup testlogin idle-time 32400
    vpngroup testlogin password ********
    !
     
    GlenMorgan, Feb 14, 2005
    #1
    1. Advertising

  2. GlenMorgan

    rave Guest

    Re: Cisco VPN Client 4.04 Rel to a PIX 506E connects, but no traffic

    is this a pix config. i think this is a router config. anyways if you
    are coming behind a nat or a pat device to connect to pix, add the
    following command:
    isakmp nat-t 20

    This should solve the problem.
    Make sure in the vpn client when you to a connection entry and
    transport tab you have checked IPSec over UDP check box.
     
    rave, Feb 14, 2005
    #2
    1. Advertising

  3. Re: Cisco VPN Client 4.04 Rel to a PIX 506E connects, but no traffic

    In article <>,
    rave <> wrote:
    :is this a pix config. i think this is a router config.

    It was definitely a PIX configuration that the OP posted.
    --
    Warhol's Law: every Usenet user is entitled to his or her very own
    fifteen minutes of flame -- The Squoire
     
    Walter Roberson, Feb 14, 2005
    #3
  4. GlenMorgan

    GlenMorgan Guest

    Re: Cisco VPN Client 4.04 Rel to a PIX 506E connects, but no traffic

    Walter Roberson wrote:
    > In article <>,
    > rave <> wrote:
    > :is this a pix config. i think this is a router config.
    >
    > It was definitely a PIX configuration that the OP posted.



    Well, I'm not sure why it's still not working. Ive done this in the
    past with less configuration. Could it be the new client? I know this
    worked on a 3.x version.
     
    GlenMorgan, Feb 15, 2005
    #4
  5. In article <>,
    GlenMorgan <> wrote:
    :I configured a PIX 506E w/ v6.3 PixOS. I can connect just fine however,
    :I cannot see anything at all on the inside network. Here's my relavant
    :config:
    :access-list nonatinside permit ip 192.168.20.0 255.255.255.0 192.168.21.0 255.255.255.0
    :ip local pool clientpool 192.168.21.10-192.168.21.25

    Just to cross-check: you have a specific or default route on the
    PIX that would send packets for 192.168.21 towards the outside interface?
    The PIX needs the packets to be routed towards the interface the VPN
    is active on, and then it sort of redirects the packets at the last moment.
    --
    How does Usenet function without a fixed point?
     
    Walter Roberson, Feb 15, 2005
    #5
  6. GlenMorgan

    GlenMorgan Guest

    Walter Roberson wrote:
    > In article <>,
    > GlenMorgan <> wrote:
    > :I configured a PIX 506E w/ v6.3 PixOS. I can connect just fine however,
    > :I cannot see anything at all on the inside network. Here's my relavant
    > :config:
    > :access-list nonatinside permit ip 192.168.20.0 255.255.255.0 192.168.21.0 255.255.255.0
    > :ip local pool clientpool 192.168.21.10-192.168.21.25
    >
    > Just to cross-check: you have a specific or default route on the
    > PIX that would send packets for 192.168.21 towards the outside interface?
    > The PIX needs the packets to be routed towards the interface the VPN
    > is active on, and then it sort of redirects the packets at the last moment.



    Hmm, how would that look?

    route inside 192.168.21.0 255.255.255.0 192.168.20.1 1?

    192.168.20.1 being the PIX inside

    Glenn
     
    GlenMorgan, Feb 16, 2005
    #6
  7. In article <>,
    GlenMorgan <> wrote:
    |Walter Roberson wrote:

    |> Just to cross-check: you have a specific or default route on the
    |> PIX that would send packets for 192.168.21 towards the outside interface?
    |> The PIX needs the packets to be routed towards the interface the VPN
    |> is active on, and then it sort of redirects the packets at the last moment.

    |Hmm, how would that look?
    |route inside 192.168.21.0 255.255.255.0 192.168.20.1 1?
    |192.168.20.1 being the PIX inside

    If you are using specific routes,

    route outside 192.168.21.0 255.255.255.0 PIXOUTSIDEIP 1

    That's a little unusual, though, in that a lot of the time you will have
    a default route,

    route outside 0.0.0.0 0.0.0.0 PIXOUTSIDEIP 1

    because you normally want all traffic destined for outside IPs to
    head out the PIX outside interface. 192.168.21/24 falls within
    0.0.0.0 0.0.0.0 so automatically 192.168.21/24 would be sent towards
    the outside interface, which is all that is needed in this instance:
    the PIX will grab the 192.168.21/24 destined packets and stuff them
    into the IPSec tunnel like you want. So most of the time you
    don't even need to think about it -- you just use an IP pool that
    isn't part of your inside subnet and the rest happens without you
    thinking about it.

    Other ways of getting a default route include:

    ip address outside dhcp setroute

    and

    rip outside passive version 1 (or version 2)

    --
    Strange but true: there are entire WWW pages devoted to listing
    programs designed to obfuscate HTML.
     
    Walter Roberson, Feb 16, 2005
    #7
  8. GlenMorgan

    GlenMorgan Guest

    Walter Roberson wrote:
    > In article <>,
    > GlenMorgan <> wrote:
    > |Walter Roberson wrote:
    >
    > |> Just to cross-check: you have a specific or default route on the
    > |> PIX that would send packets for 192.168.21 towards the outside interface?
    > |> The PIX needs the packets to be routed towards the interface the VPN
    > |> is active on, and then it sort of redirects the packets at the last moment.
    >
    > |Hmm, how would that look?
    > |route inside 192.168.21.0 255.255.255.0 192.168.20.1 1?
    > |192.168.20.1 being the PIX inside
    >
    > If you are using specific routes,
    >
    > route outside 192.168.21.0 255.255.255.0 PIXOUTSIDEIP 1
    >
    > That's a little unusual, though, in that a lot of the time you will have
    > a default route,
    >
    > route outside 0.0.0.0 0.0.0.0 PIXOUTSIDEIP 1
    >
    > because you normally want all traffic destined for outside IPs to
    > head out the PIX outside interface. 192.168.21/24 falls within
    > 0.0.0.0 0.0.0.0 so automatically 192.168.21/24 would be sent towards
    > the outside interface, which is all that is needed in this instance:
    > the PIX will grab the 192.168.21/24 destined packets and stuff them
    > into the IPSec tunnel like you want. So most of the time you
    > don't even need to think about it -- you just use an IP pool that
    > isn't part of your inside subnet and the rest happens without you
    > thinking about it.
    >
    > Other ways of getting a default route include:
    >
    > ip address outside dhcp setroute
    >
    > and
    >
    > rip outside passive version 1 (or version 2)
    >



    Ok, It's wierd because I've had this working before a couple years ago
    and didn't (to my knowledge) had to do this. I was thinking it was
    something "funky" in the new VPN client software or PIX OS.

    Since there's no router inside, I just point the PIX's default route to
    the router connected to the outside interface.

    You stated I could of just used some IP's on the internal interface
    network for the vpnclient IP Pool? I thought I did this and it still fails.

    Glenn
     
    GlenMorgan, Feb 17, 2005
    #8
  9. GlenMorgan

    Guest

    Re: Cisco VPN Client 4.04 Rel to a PIX 506E connects, but no traffic

    Glenn,

    I am having the exact same problem but cannot offer any solution yet.
    Still I would like to join the thread becuase this has me going nuts.

    I can say a few things about my setup. Its a PIX 515e and I have lots
    of people connecting to it who are behind firewalls and other NATing
    devices. No one has a problem except one client. He connects and
    authenticates to the RADIUS server on the LAN. But thats it. No traffic
    enters the LAN. So OK, he disconnects and does dial-up to an ISP and
    connects to the Internet on the same machine. He opens the VPN client
    connects again and BOOM, he´s in. Just another host on the segment and
    everyworks fine.

    When I do a show crypto sa while he connects though his LAN and another
    sh crypto sa while he´s connected doing dial up there is the only
    difference I see other than the number of packets that are coming in
    doing dial up:

    current_peer: 212.33.188.241:500 (with dial-up)
    current_peer: 81.35.202.188:6 (through his LAN)

    Anyone who every successfully connects to the PIX and enters the LAN
    has 500. He is the only client who connects with 6 or whatever. Never
    with 500. What does this mean? I have no idea. This is my first PIX and
    I have had to learn everything alone.

    One more thing that may or may not help. If he connects through his LAN
    with ssh1 (Secure CRT) to the PIX he can get to the remote LAN. PING,
    Telnet etc. it all works.

    So it would seem the problem is IP. But I dont know what more to do.

    Keep in touch,

    Pete



    GlenMorgan wrote:
    > Walter Roberson wrote:
    > > In article <>,
    > > GlenMorgan <> wrote:
    > > |Walter Roberson wrote:
    > >
    > > |> Just to cross-check: you have a specific or default route on the
    > > |> PIX that would send packets for 192.168.21 towards the outside

    interface?
    > > |> The PIX needs the packets to be routed towards the interface the

    VPN
    > > |> is active on, and then it sort of redirects the packets at the

    last moment.
    > >
    > > |Hmm, how would that look?
    > > |route inside 192.168.21.0 255.255.255.0 192.168.20.1 1?
    > > |192.168.20.1 being the PIX inside
    > >
    > > If you are using specific routes,
    > >
    > > route outside 192.168.21.0 255.255.255.0 PIXOUTSIDEIP 1
    > >
    > > That's a little unusual, though, in that a lot of the time you will

    have
    > > a default route,
    > >
    > > route outside 0.0.0.0 0.0.0.0 PIXOUTSIDEIP 1
    > >
    > > because you normally want all traffic destined for outside IPs to
    > > head out the PIX outside interface. 192.168.21/24 falls within
    > > 0.0.0.0 0.0.0.0 so automatically 192.168.21/24 would be sent

    towards
    > > the outside interface, which is all that is needed in this

    instance:
    > > the PIX will grab the 192.168.21/24 destined packets and stuff them
    > > into the IPSec tunnel like you want. So most of the time you
    > > don't even need to think about it -- you just use an IP pool that
    > > isn't part of your inside subnet and the rest happens without you
    > > thinking about it.
    > >
    > > Other ways of getting a default route include:
    > >
    > > ip address outside dhcp setroute
    > >
    > > and
    > >
    > > rip outside passive version 1 (or version 2)
    > >

    >
    >
    > Ok, It's wierd because I've had this working before a couple years

    ago
    > and didn't (to my knowledge) had to do this. I was thinking it was
    > something "funky" in the new VPN client software or PIX OS.
    >
    > Since there's no router inside, I just point the PIX's default route

    to
    > the router connected to the outside interface.
    >
    > You stated I could of just used some IP's on the internal interface
    > network for the vpnclient IP Pool? I thought I did this and it still

    fails.
    >
    > Glenn
     
    , Feb 17, 2005
    #9
  10. GlenMorgan

    GlenMorgan Guest

    Re: Cisco VPN Client 4.04 Rel to a PIX 506E connects, but no traffic

    wrote:
    > Glenn,
    >
    > I am having the exact same problem but cannot offer any solution yet.
    > Still I would like to join the thread becuase this has me going nuts.
    >
    > I can say a few things about my setup. Its a PIX 515e and I have lots
    > of people connecting to it who are behind firewalls and other NATing
    > devices. No one has a problem except one client. He connects and
    > authenticates to the RADIUS server on the LAN. But thats it. No traffic
    > enters the LAN. So OK, he disconnects and does dial-up to an ISP and
    > connects to the Internet on the same machine. He opens the VPN client
    > connects again and BOOM, he´s in. Just another host on the segment and
    > everyworks fine.
    >
    > When I do a show crypto sa while he connects though his LAN and another
    > sh crypto sa while he´s connected doing dial up there is the only
    > difference I see other than the number of packets that are coming in
    > doing dial up:
    >
    > current_peer: 212.33.188.241:500 (with dial-up)
    > current_peer: 81.35.202.188:6 (through his LAN)
    >
    > Anyone who every successfully connects to the PIX and enters the LAN
    > has 500. He is the only client who connects with 6 or whatever. Never
    > with 500. What does this mean? I have no idea. This is my first PIX and
    > I have had to learn everything alone.
    >
    > One more thing that may or may not help. If he connects through his LAN
    > with ssh1 (Secure CRT) to the PIX he can get to the remote LAN. PING,
    > Telnet etc. it all works.
    >
    > So it would seem the problem is IP. But I dont know what more to do.
    >
    > Keep in touch,
    >
    > Pete
    >


    Same boat here, everything I've learned is from a book or experimenting
    at home first, then @ work. Newsgroups tho has been the biggest help.
    I had this working at one time on 5.x OS and 6.22 PIXOS. I don't know
    if that's relevant, but I did have it working. I connect to a client I
    setup and me, myself cannot see anything on the LAN however, the
    customer from his house can?!?! Using the same credentials. SO I
    thought well, maybe the ISP is blocking but they claim they are not as I
    have VPN Peers to multiple places.
     
    GlenMorgan, Feb 18, 2005
    #10
  11. GlenMorgan

    Pichi Guest

    Re: Cisco VPN Client 4.04 Rel to a PIX 506E connects, but no traffic

    OK Glen, I can´t explain what happened, but when I added:

    nat-traversal 20

    my client connected and got into the remote LAN.

    I am using version 6.3.1 of the OS and I have read (not offically) that
    this version may have bugs with Nat Traversal. I assumed it was enabled
    but it is not. The clients who could not connect did have one thing in
    common. There all used the same ISP. However I use this ISP and I got
    in every time. I am glad it works now, but it still bothers me why some
    got in and some did not with seemingly the same setup.

    Let me know how you do with this.

    Pete
     
    Pichi, Feb 18, 2005
    #11
  12. GlenMorgan

    GlenMorgan Guest

    Re: Cisco VPN Client 4.04 Rel to a PIX 506E connects, but no traffic

    Pichi wrote:
    > OK Glen, I can´t explain what happened, but when I added:
    >
    > nat-traversal 20
    >
    > my client connected and got into the remote LAN.
    >
    > I am using version 6.3.1 of the OS and I have read (not offically) that
    > this version may have bugs with Nat Traversal. I assumed it was enabled
    > but it is not. The clients who could not connect did have one thing in
    > common. There all used the same ISP. However I use this ISP and I got
    > in every time. I am glad it works now, but it still bothers me why some
    > got in and some did not with seemingly the same setup.
    >
    > Let me know how you do with this.
    >
    > Pete
    >



    I also got it working. Different configuration however. I had to
    define another ACL for the VPNGroup. I was using the same ACL for the
    "donotnat" and that didn't work even though theoretically it should
    have. As soon as I did that, it worked just fine. Thanks to all for
    the help.

    Glenn
     
    GlenMorgan, Feb 21, 2005
    #12
  13. GlenMorgan

    timxcd Guest

    Re: Cisco VPN Client 4.04 Rel to a PIX 506E connects, but no traffic

    I have had this problem before, make sure that you are permiting IPSEC
    traffic, it will connect, and ICMP will work, but really nothing beyond
    that.

    the command is:


    sysopt connection permit-ipsec

    GlenMorgan wrote:
    > Pichi wrote:
    > > OK Glen, I can´t explain what happened, but when I added:
    > >
    > > nat-traversal 20
    > >
    > > my client connected and got into the remote LAN.
    > >
    > > I am using version 6.3.1 of the OS and I have read (not offically)

    that
    > > this version may have bugs with Nat Traversal. I assumed it was

    enabled
    > > but it is not. The clients who could not connect did have one thing

    in
    > > common. There all used the same ISP. However I use this ISP and I

    got
    > > in every time. I am glad it works now, but it still bothers me why

    some
    > > got in and some did not with seemingly the same setup.
    > >
    > > Let me know how you do with this.
    > >
    > > Pete
    > >

    >
    >
    > I also got it working. Different configuration however. I had to
    > define another ACL for the VPNGroup. I was using the same ACL for

    the
    > "donotnat" and that didn't work even though theoretically it should
    > have. As soon as I did that, it worked just fine. Thanks to all for


    > the help.
    >
    > Glenn
     
    timxcd, Feb 21, 2005
    #13
  14. Re: Cisco VPN Client 4.04 Rel to a PIX 506E connects, but no traffic

    In article <>,
    timxcd <> wrote:
    :I have had this problem before, make sure that you are permiting IPSEC
    :traffic, it will connect, and ICMP will work, but really nothing beyond
    :that.
    :the command is:
    :sysopt connection permit-ipsec

    Not exactly. That command allows IPSec traffic to bypass ACLs.
    If, though, your ACLs already permit the traffic, then you do not
    need that command. You have much finer grained control over your
    security if you do not use sysopt connection permit-ipsec --
    consider what happens if your remote office gets a virus.
    --
    Reviewers should be required to produce a certain number of
    negative reviews - like police given quotas for handing out
    speeding tickets. -- The Audio Anarchist
     
    Walter Roberson, Feb 22, 2005
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    2
    Views:
    1,278
  2. Mephesto
    Replies:
    0
    Views:
    1,206
    Mephesto
    Jun 24, 2005
  3. ronnieshih
    Replies:
    1
    Views:
    2,713
    Brian V
    Nov 28, 2006
  4. rambur
    Replies:
    5
    Views:
    613
    rambur
    Apr 25, 2007
  5. Replies:
    3
    Views:
    997
Loading...

Share This Page