CLIENT VPN connection OK & PING OK but no INTERNET or LAN

Similar Questions

• The VPN client VPN connection behind other PIX PIX

  I have the following problem:

  I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).

  So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5

  I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.

  Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.

  If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:

  305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x

  194.x.x.x is our customer s address IP PIX

  I understand that somewhere access list is missing, but I can not understand.

  Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.

  Can you please help me?

  Thank you in advan

  The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.

  I've cut and pasted here for you to read, I think that the problem mentioned below:

  Question:

  Hi Glenn,.

  Following is possible?

  I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.

  The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?

  My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.

  Thank you very much for any help provided in advance.

  Response from Glenn:

  First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:

  fixup protocol esp-ike

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.

  If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:

  ISAKMP nat-traversal

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.

  NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.

  ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.

  A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.

  NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.

  Hope that helps.

• I have created a VPN connection and it worked but you can't see how to remove Windows 7.

  Delete the VPN connection

  I have created a VPN connection and it worked but you can't see how to remove Windows 7.  I tried rt-click but no delete option.

  Open network and sharing Center. On the left side, click on change adapter settings. You will get all VPN connections that have been created and you can delete what you don't need.

• Connection to the local but no Internet (CABLE)

  I am currently using a cable connection to connect to the internet. Yesterday after uninstalling ZoneAlarm and SuperAnti Spyware my computer connect to the internet.  The box works properly because my phone line crosses and it works. Usually, if there is a problem with the actual adapter (box), that the phone will not work. I have reset the box many times, turned off for 30 minutes and reconnected. All the indicators show that the adapter is connected and functional. But my internet is not working.

  I also have:

  1. Tried ipconfig/release / renew restarted.  It says media disconnected however the link blinks on my cable adapter. It doesn't have an IP address. "Media State...: media disconnected > connection - specific suffix DNS.:" He also says disabled BIOS.
  2. I also tried EasyTether as an alternate. The connection is done however I can't access the internet.
  3. I've updated all the drivers of network, they seem to work correctly, there is not! or X (yellow or red) beside him. Ipv4 and the IPv 6 are verified.
  4. I tried disabling my firewall.
  5. Fact that I clicked on lan settings-it says 'autodetect' and this proxy server box was NOT checked

  Nothing seems to work I'm about to throw the computer out the window. Help, please!

  Hello

  Try this process.

  http://www.ezlan.NET/clean.html#refreshnet

  Jack-MVP Windows Networking. WWW.EZLAN.NET

• WRTG54S to connect to the network, but not internet

  I have a WRTG54S and Mediacom 12mbps. My router worked fine on my old laptop (a Dell Vista), he was sitting in a box for about 6 months and now that I have a new (Sony running 7) I can connect to my network, but not internet. I have updated the firmware of 7.6 to 7.8 without change. I have tried no security, wep and wap without change. Also, I cloned the MAC, once again no change. Windows cannot detect all problems, and when I try to activate the router to connect to the internet it always says connection failed. I can connect directly connected to the modem but not when connected to the router or wireless. Any ideas? Thank you

  Problem solved. I had to go to a Motorola SurfBoard 4100 to a 5100. Thanks anyway

• Client VPN connects but cannot ping all hosts

  Here is the configuration of a PIX 501, which I want to accept connections from the VPN software clients.  I can connect successfully to the PIX using the 5.0.0.7.0290 VPN client and I can ping the PIX to 192.168.5.1, but I can't ping or you connect to all hosts behind the PIX.  Can someone tell me what Miss me in my setup?

  Thanks for your help.

  Chi - pix # sh conf
  : Saved
  : Written by enable_15 at 03:49:39.701 UTC Friday, January 1, 1993
  6.3 (3) version PIX
  interface ethernet0 car
  interface ethernet1 100full
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  activate the encrypted password
  encrypted passwd
  hostname chi - pix
  .com domain name
  fixup protocol dns-length maximum 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol they 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names of
  list-access internet-traffic ip 192.168.5.0 allow 255.255.255.0 any
  Allow Access-list allowed a whole icmp ping
  access-list 101 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
  access-list 102 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
  pager lines 24
  opening of session
  debug logging in buffered memory
  ICMP deny everything outside
  Outside 1500 MTU
  Within 1500 MTU
  IP address outside pppoe setroute
  IP address inside 192.168.5.1 255.255.255.0
  alarm action IP verification of information
  alarm action attack IP audit
  IP local pool ippool 10.10.11.1 - 10.10.11.254
  PDM logging 100 information
  history of PDM activate
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) - 0 102 access list
  NAT (inside) 1 list-access internet-traffic 0 0
  group-access allowed to ping in external interface
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  RADIUS Protocol RADIUS AAA server
  AAA-server local LOCAL Protocol
  No snmp server location
  No snmp Server contact
  SNMP-Server Community public
  No trap to activate snmp Server
  enable floodguard
  Permitted connection ipsec sysopt
  Crypto ipsec transform-set esp - esp-md5-hmac GvnPix-series
  Crypto-map dynamic dynmap 10 GvnPix-set transform-set
  toGvnPix 10 card crypto ipsec-isakmp dynamic dynmap
  toGvnPix interface card crypto outside
  ISAKMP allows outside
  ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
  ISAKMP keepalive 60
  ISAKMP nat-traversal 20
  part of pre authentication ISAKMP policy 9
  encryption of ISAKMP policy 9
  ISAKMP policy 9 md5 hash
  9 2 ISAKMP policy group
  ISAKMP policy 9 life 86400
  vpngroup address ippool pool chiclient
  vpngroup dns 192.168.5.1 Server chiclient
  vpngroup wins 192.168.5.1 chiclient-Server
  vpngroup chiclient com default domain
  vpngroup split tunnel 101 chiclient
  vpngroup idle 1800 chiclient-time
  vpngroup password chiclient *.
  Telnet 0.0.0.0 0.0.0.0 inside
  Telnet timeout 30
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 30
  management-access inside
  Console timeout 0
  VPDN group chi request dialout pppoe
  VPDN group chi net localname
  VPDN group chi ppp authentication pap
  VPDN username password net *.
  dhcpd address 192.168.5.2 - 192.168.5.33 inside
  dhcpd dns xx
  dhcpd rental 86400
  dhcpd ping_timeout 750
  dhcpd outside auto_config
  dhcpd allow inside
  Terminal width 100
  Cryptochecksum:
  Chi - pix #.

  On the PIX configuration seems correct.

  I guess you try to access hosts in 192.168.5.0/24, and these default hosts is the PIX inside interface 192.168.5.1?

  How you try to access these internal hosts? If you try to ping the hosts, please please make sure there is no personal firewall enabled inside welcomes as personal firewall normally doesn't allow incoming connections from different subnet ip address.

• Client VPN connectivity problems

  I use the cisco VPN client to connect to our network, located behind a 515E. The client is authenticated and gets an ip address but cannot ping or connect with one of the hosts. The connection is to a network of customers that is also behind a 515E. I have successfully connected using the same policy to other places and have had no problem. What confuses me, is that we have used to have a Netscreen firewall before and he had a netscreen vpn client which connected since their network with a problem. Is that something they need for their firewall so that we can get through the traffic?

  Try to turn on NAT - T on your pix, by setting up:

  ISAKMP nat-traversal 20

  and configure the client vpn accordingly:

  http://www.Cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client

  I think these discussions are useful:

  http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7dda4

  http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7fe80

• Connect to the router but no internet.

  I use windows xp and netgear wireless router.till yesterday I browse the internet.from today morning, I'm not in a position to communicate the internet.but it will connect to the linksys router not internet.i can ping default gateway.but, that I can't browse the firewall disabled net.i. What is the problem?

  Hello

  1. what exactly happens when you try to connect to the Internet?

  2. you get any error message?

  I suggest you to follow the steps from the link below and check if it helps.

  Method 1 : in the Windows wireless network connection problems:
  http://Windows.Microsoft.com/en-us/Windows/help/wired-and-wireless-network-connection-problems-in-Windows

  Method 2: Try to run fix it from the link below:

  http://support.Microsoft.com/kb/811259

  Hope this information is useful.

• Acer Aspire one laptop has full connection to the router but no internet, wii is router connected work properly__

  under the heading of ipconfig/all says media disconnected and NO active dhcp, LAN will work wireless connected but NO internet

  Hi jmoraski8,

  Try these steps and check the result.
  Step 1: Dynamic Host Configuration Protocol (DHCP) lease renewal
  a. Click Start, click Run, type cmd and click ok.
  b. at the command prompt, type ipconfig / renew
  c. Close command prompt.
  d. check the result.

  Step 2: Check obtain an IP address automatically
  a. open Internet Explorer, go to tools > Internet Options > connections > LAN settings > uncheck all boxes except "automatically detect connection settings.
  b. click ok to apply the changes.
  c. check to see if the problem persists.

  Step 3: If the problem persists, repair network connections
  a. see the repair network connections
  b. check if the problem persists.

  Visit our Microsoft answers feedback Forum and let us know what you think.

• Client VPN connects but not internal LAN access or Ping

  Hi all.

  I'm new on this forum and kindly asking for your help because I'm stuck.

  I have an ADSL router cisco 877 which I configured easy VPN server.
  Now the Cisco VPN client ver 5.0 to connect successfully to the VPN server, but when you try to access/ping computers on the internal network, there is no response.

  The configuration is below. Please let know us where I was going or what I missed.
  [code]

  Building configuration...

  Current configuration: 4574 bytes
  !
  version 12.4
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  boot-start-marker
  boot-end-marker
  !
  enable secret 5 $1$ $86dn J8HrK9kCQ8G9aPAm6xe4o1
  enable password 7 13151601181B54382F
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login internal_affairs_vpn_1 local
  AAA authorization exec default local
  AAA authorization internal_affairs_vpn_group_1 LAN
  !
  !
  AAA - the id of the joint session
  !
  Crypto pki trustpoint TP-self-signed-2122144568
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 2122144568
  revocation checking no
  rsakeypair TP-self-signed-2122144568
  !
  !
  TP-self-signed-2122144568 crypto pki certificate chain
  self-signed certificate 03
  30820248 308201B 1 A0030201 02020103 300 D 0609 2A 864886 F70D0101 04050030
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 32313232 31343435 6174652D 3638301E 170 3032 30333032 32303537
  31375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 31323231 65642D
  34343536 3830819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  8100D3EA 07EC5D66 F4DD8ACC 5540BDBE 009B3C26 598EC99C D99D935A 51292F96
  F495E5A9 8D012B0E 73EA7639 3B 586799 187993F5 ED9CA31C 788756DD 6BDB1B2B
  4D7AA7F0 B07CF82F F2A29E86 E18B442C 550E22D2 E92D9914 105B7D59 253BBEA1
  D84636B4 A4B4B300 7946CE84 E9A63D2E 7789B03A 6ADDB04E B21EC207 CCFEAE0B
  30 HAS A 50203 010001, 3 1 130101 301B 0603 030101FF FF040530 0F060355 70306E30
  551 1104 14301282 10494E54 45524E41 4C5F4146 46414952 53301F06 03551D 23
  04183016 8014FA0F B3C9C651 7FD91EFA 3F63EAE8 6C83C80D 8AE2301D 0603551D
  0E041604 14FA0FB3 C9C6517F D91EFA3F 63EAE86C 83C80D8A E2300D06 092A 8648
  86F70D01 01040500 03818100 A1026DDC C91CAEB2 3C62AF92 D6B25EB2 CA 950, 920
  313BCF26 4A35B039 A4F806A0 8CB54D11 6AF1ABAA A770604B 4403F345 0351361B
  E2CF2950 26974F4A 95951862 401A4F76 C816590C 2FFCB115 9A8B3E96 4373FFE1
  33D744F7 E0FDDE61 B5B48497 9516C3C6 A3157957 C621668E A83B5E33 2420F962
  9142DD9E B6E9D74A 899A 9653
  quit smoking
  dot11 syslog
  IP cef
  No dhcp use connected vrf ip
  DHCP excluded-address IP 10.10.10.1
  !
  IP dhcp pool dhcplan
  Network 10.0.0.0 255.0.0.0
  DNS-server 196.0.50.50 81.199.21.94
  default router 10.10.10.1
  Rental 7
  !
  !
  property intellectual auth-proxy max-nodata-& 3
  property intellectual admission max-nodata-& 3
  name of the IP-server 81.199.21.94
  !
  !
  !
  VPN username password 7 095A5E07
  username fred privilege 15 password 7 1411000E08
  username ciscovpn password 7 01100F175804101F2F
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  ISAKMP crypto client configuration group internal_affairs_vpn
  key *.
  DNS 196.0.50.50 81.199.21.94
  pool ippool
  ACL 108
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  !
  Crypto-map dynamic internal_affairs_DYNMAP_1 10
  Set transform-set RIGHT
  market arriere-route
  !
  !
  card crypto client internal_affairs_CMAP_1 of authentication list internal_affairs_vpn
  card crypto isakmp authorization list internal_affairs_vpn_group_1 internal_affairs_CMAP_1
  client configuration address card crypto internal_affairs_CMAP_1 answer
  ipsec 10-isakmp crypto map internal_affairs_CMAP_1 Dynamics internal_affairs_DYNMAP_1
  !
  Archives
  The config log
  hidekeys
  !
  !
  !
  Bridge IRB
  !
  !
  interface Loopback0
  2.2.2.2 the IP 255.255.255.255
  !
  ATM0 interface
  no ip address
  ATM vc-per-vp 512
  No atm ilmi-keepalive
  PVC 0/32
  aal5snap encapsulation
  Protocol ip inarp
  !
  DSL-automatic operation mode
  Bridge-Group 1
  !
  interface FastEthernet0
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  !
  interface Vlan1
  description of the local lan interface
  IP 10.10.10.1 255.0.0.0
  IP nat inside
  IP virtual-reassembly
  !
  interface BVI1
  internet interface Description
  IP 197.0.4.174 255.255.255.252
  NAT outside IP
  IP virtual-reassembly
  internal_affairs_CMAP_1 card crypto
  !
  IP local pool ippool 192.168.192.1 192.168.192.200
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 196.0.4.173
  !
  IP http server
  local IP http authentication
  IP http secure server
  IP nat inside source list interface BVI1 NAT overload
  IP nat inside source static tcp 2.2.2.2 23 23 BVI1 interface
  !
  NAT extended IP access list
  allow an ip
  !
  access-list 108 allow ip 10.0.0.0 0.255.255.255 192.168.192.0 0.0.0.255
  !
  !
  !
  control plan
  !
  Bridge Protocol ieee 1
  1 channel ip bridge
  !
  Line con 0
  password 7 0216054818115F3348
  no activation of the modem
  line to 0
  line vty 0 4
  password 7 06160E325F59590B01
  !
  max-task-time 5000 Planner
  end

  Since this is a named ACL, you need to change ACL configuration mode:

  NAT extended IP access list

  Then, make the changes.

  Federico.

• Client VPN connects but no IP traffic is passed...

  I have a user in a hotel, his laptop was works well on remote connections previously, he gets the lock when it connects, but no IP traffic is passed. Is it pings it gets "host unreachable". I think he's behind a firewall of hotel, but nothing else that I can check to confirm? I was going to put the new client available for download (internet access works very well), he performs a version 4.7. I also tested his connection on a profile box test and it worked fine.

  UM... so it is able to authenticate so I don't think that he coulkd be blocked... double check you are using have traversed nat enabled on your PIX...

  ISAKMP nat-traversal 20

  I hope that helps... Rate if he does!

• Access remote vpn connects to the 5505 but cannot ping servers

  I have a cisco 5505 and trying to set it up with 6.4 AMPS.

  My vpn client connects ok to the network but I'm unable to reach one of the servers.

  I'm sure it's a simple configuration issue, as I don't have much experience with Cisco Configuration.

  Any suggestions on where to find would be very appreciated.

  Thanks in advance

  Graham

  Hi Graham,

  Please, add the following command:

  Inside_nat0_outbound to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.100.0 255.255.255.0

  Thank you.

  Portu.

• How to limit the client VPN connection time in Router2821

  I have install a cisco router with VPN (client) 2821 and it works very well.

  All the configurations that I did via CLI

  But I want a customer to have vpn user:

  Connection time maximum 30 min

  Maximum idle time 15 min

  Where should I put this command?

  Kind regards!

  Hi Lasandro,

  Looks like max connect timer is not yet available, but the timeout is.

  You can configure in the dynamic plan using the command 'set security association idle-timeout' .

  Or apply globally with periods of inactivity of 60secs just to check:

  "crypto ipsec security association idle time 60.

  HTH.

  Portu.

  Please note all useful messages.

• AnyConnect VPN connects to the work but not the House

  Hello

  I tried searching for this problem, but I have not found something that I think applies to this situation.

  A University that I work uses a vpn ssl with Anyconnect and while in my office at another University, I can easily connect (even through a firewall). However, at home I can not connect.  If I connect to the webvpn then the connection hangs at the part where the installation program is to analyze the computer and nothing happens.  If I open the program Anyconnect sslvpn address in the login field and I get a time-out error.

  I tried to disable the windows firewall and my antivirus, but this is not enough, and not that he should, since both are active while at my desk. I also tried connecting via ethernet and wireless at home.

  OS: Windows 7 64-bit

  Thank you very much for your help!

  We started to see a similar problem a few weeks ago and concluded that when not at the office, users must uncheck the proxy configuration in Internet Explorer before AnyConnect works.  Once they VPN, they must of course activate the setting back on proxy.

  So far we can say, IE started to cache the proxy.pac and use it when the user is not connected to the corporate network.  We are still investigating but would be interested in hearing if this affects others now, and if this is a recent problem for them.

• PC connected to the airport but no internet

  List Dear members, I'll put up a new wifi network in my laboratory using an airport Time Capsule 3 to (802.11ac). All Macs here are correctly attached to the base of the airport and have full internet access. However, two laptops with Windows 7 and 8.1 are connected to the airport base, but do not have access to the internet. The airport is configured with a fixed IP address from my DHCP router mode University. Could you please help me solve this problem? Thank you.

  First ping computer test windows laptop in a DOS command window.

  Ping the DNS servers of the University System. Ping Google's Public DNS servers. IE 8.8.8.8 and 8.8.4.4

  Tell us what is happening.

  If you can ping the google DNS, which is usually a good indication that the PC has got the wrong DNS values. So just use manual DNS Configuration in the laptop.

  If you cannot ping out of the United system but are ok internally you question gateway... Again check the IP of the bridge against the value Macs are gettings.