VPN client, lost connection
Hello
I pix506e here... and vpn clients connected.
But suddenly lost connection vpn client 40 minutes and then try to reconnect again but fail. If the vpn client restarts their pc/notebook...yes it can connected to vpn again... but the interruption of the connection again... then restart... and so on... What is the cause of this problem?
Thanks for the help
Tonny
All remote VPN clients are having the same problem or is it limited to just a few. If the problem is seen with only a few, it is quiet possible that the problem is not with the PIX of the customer. In addition, the DPO is enabled or not. DPD will cause tips to know an IPSec connection over, where the SAs flusing, allowing new being negotiate quickly.
Tags: Cisco Security
Similar Questions
-
VPN Client TCP connection to router IOS
Hello
I try to get a VPN client to connect via TCP to a router. I currently have the router put in place (and work) in using a VPN - UDP. Unfortunately one of the sites I visit will not allow VPN traffic outside of their firewall. I have searched all over the site of Cisco and can't find any information on the IOS configuration to accept TCP - VPN connections. I would like to change the TCP port 80, so my VPN traffic looks like just standard internet browsing my client firewall. Any links/pointer would be greatly appreciated.
Thanks in advance!
-Joe
Take a look at this:
http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t8/feature/guide/ftunity.html#wp1310210
http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t8/feature/guide/ftunity.html#wp1305478
http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t8/feature/guide/ftunity.html#wp1315635
Please rate if useful.
Concerning
Farrukh
-
Cisco vpn client to connect but can not access to the internal network
Hi all
I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network
Any help would be much appreciated.
Hi Samir,
I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
(The link above includes split tunneling, but this is just an option.
Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.
Let me know if this can help,
See you soon,.
Christian V
-
506th PIX and VPN client - multiple connections connections
I have a PIX of the 506th (6.2) w/3DES license and 3.6.3 VPN client software. I'm only using group user name and password to authenticate. The first user login works fine. When the second user connects, the first is finished and the second works very well. The product turned on States I should be able to have 25 simultaneous connections or site to site or customer.
Any help will be greatly appreciated, Kyle
Are these two users on the same site, behind a device that makes PAT? If so, then this device is causing the problem, not the PIX. The device is unable to correctly translate the IPsec packets. Unfortunately nothing you can do about it on the PIX, although the next version of the software (6.3 to your calendar of March) will have NAT - T support (which the client currently supports). Once that support NAT - T both ends, they'll be able to say that there's a PAT instrument between the two and they will automatically encapsulate everything in the UDP packets, which your PAT instrument will be able to translate correctly.
-
VPN client - multiple connection possibilities?
Hi people,
My basic question is, Cisco VPN Client allows two simultaneous VPN connections at the same time?
I would like to implement the following:
Customer user (remote access VPN via Internet)--> Head Office c/o ASA 5520 pair--> (VPN remote access via Internet)--> pair of Branch Office ASA 5510 S + a/s
For example, to access the Branch Office system, the user must:
1. connect to the peer of Head Office ASA via Cisco VPN Client (the user/password authentication)
Head Office ASA peer gives an 172.16.1.x private IP address and is configured to route all requests for public office ASA IP through its own public IP address.
2. once Head Office VPN is established, the user establishes a SECOND VPN tunnel of the Cisco VPN client (user/password and focused on the cert auth)
I.e. branch sees the VPN connection try from the public IP address of Headquarters and therefore allows the VPN through the ACL traffic and allows the continuation of the VPN negotiations as usual. Customer is given another IP address private, 192.168.10.x.
Basically, I need to limit the remote access VPN branch to make it only accessible from Headquarters public IP address, no public IP address of the user (and therefore the entire internet).
I know this is an unusual configuration, and some will say on the sensitivity of security to allow two simultaneous VPN connections. These are the two networks of trust, strict ACL would be at stake and there is a long history behind this requirement...
Thanks in advance!
Alistair,
You can limit the access of VPN connections to branch by blocking connections on UDP ports 500, 4500 UDP and ESP and allowing him only from your home office. In this way, only the explicitly authorized public IP address of your home office would be able to connect to your remote sites by using an IPSec tunnel.
Now, on the second tunnel I don't think it's possible. As far I am aware you cannot have two connections to VPN at the same time of the same customer. The VPN will not let you do, it's mainly because when you have a VPN Client the VPN map session comes up and you can only one card virtual VPN.
Because I don't think it is possible I would advice to try something like this:
Could provide you the connectivity that you are looking for without needing a second tunnel VPN from the client side.
I hope this helps.
Raga
-
Get VPN client to connect, but request timed out when ping
Hi, I use the router Cisco 837 as my VPN server. I am connected using Cisco VPN Client Version 5. But when I ping the ip of the router, I have request timed out. Here is my configuration:
Building configuration... Current configuration : 3704 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname michael ! boot-start-marker boot-end-marker ! memory-size iomem 5 no logging console enable secret 5 $1$pZLW$9RZ8afI8QdGRq0ssaEJVu0 ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! ip subnet-zero no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 ! ip dhcp pool michael network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 202.134.0.155 ! ip dhcp pool excluded-address host 192.168.1.4 255.255.255.0 hardware-address 01c8.d719.957a.b9 ! ! ip cef ip name-server 202.134.0.155 ip name-server 203.130.193.74 vpdn enable ! ! ! ! username michael privilege 15 secret 5 $1$ZJQu$KDigCvYWKkzuzdYHBEY7f. username danny privilege 10 secret 5 $1$BDs.$Ez0u9wY7ywiBzVd1ECX0N/ ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp xauth timeout 15 ! crypto isakmp client configuration group michaelvpn key vpnpassword pool SDM_POOL_1 acl 199 netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Ethernet0 description $FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 hold-queue 100 out ! interface Ethernet2 no ip address shutdown hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto pvc 0/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet1 duplex auto speed auto ! interface FastEthernet2 duplex auto speed auto ! interface FastEthernet3 duplex auto speed auto ! interface FastEthernet4 duplex auto speed auto ! interface Virtual-PPP1 no ip address ! interface Dialer1 description $FW_OUTSIDE$ mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 ppp chap hostname ispusername ppp chap password 0 isppassword ppp pap sent-username ispusername password 0 isppassword crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! ip nat inside source static udp 192.168.1.0 1723 interface Dialer1 1723 ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21 ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload ! access-list 1 remark SDM_ACL Category=16 access-list 1 permit 192.0.0.0 0.255.255.255 access-list 102 remark SDM_ACL Category=2 access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 route-map SDM_RMAP_1 permit 1 match ip address 102 ! ! control-plane ! banner motd ^C Authorized Access Only UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action. ^C ! line con 0 no modem enable line aux 0 line vty 0 4 ! scheduler max-task-time 5000 end
Thank you, anny help will be appreciated.
Hi Michael,
I have been through the newspapers, they are not conclusive and only detrmine that Phase 1 is coming. However according to this error message % SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr = 81B50AD8, count = 0 we are hiiting a bug on ios. The id of the bug is CSCsl24693 and the solution is to switch to 12.4 (11) XJ.
Can you re-execute him debugs and send me the detailed results.
Kind regards
Aman
-
Hello
just a quick,
TOPOLOGY
ASA isps1 - 197.1.1.1 - outside
ASA ISP2 - 196.1.1.1 - backup
LAN IP - 192.168.202.100 - inside
I have configured Tunnel on the interfaces (external and backup), but is to link both legs public to serve a thare as redundancy for vpn users and users of the vpn tunnel leave pointing inside IP whenever they want to establish vpn sssion, we want it to be one, so if an interface fails vpn users will not know , but he will try the second for the connection. instead of creating the profile for the two outside of the leg on the vpn client.
is this possible?
Hi Rammany.
In your case, you have only an ASA that connects with 2 ISP in another segment IP... 196.x.x.x (Link1) & 197.x.x.x (Link2). What your condition is you want to have the VPN client who must be consulted with backup. If 196.x.x.x link fails, it should automatically take 197.x.x.x link. That too we should not have the config set in the VPN client backup server. You don have the possibility of having standby active also in asa single.
I think n so it will work with your current design.
This option is if your VPN client supports host name resolution (DNS). You can have the VPN created for both the public IP address share the same host name keeping the bond as the primary address 1 and 2 a secondary address. It will work alone.
Hope someother experts in our forum can help you with that.
-
RV082 VPN Client can connect only for 6 minutes
Hello
I have a RV082 with firmware 1.3.98 - tm.
The problem I have is that a Client with Windows XP SP3 can connect only for 6 minutes exactly.
In addition, a windows appears on the client saying that the remote system is not respoding and asking to wait or not.
We have also applied fix for Windows XP described here:
http://www.linksys.com/servlet/Satellite?blobcol=urldata&blobheadername1=Content-Type&blobheadername2=Content-Disposition&blobheadervalue1=text%2Fplain&blobheadervalue2=inline%3B+filename%3DQVPN%2BClient%2Bv1.2.11%2BRelease%2BNote.txt&blobkey=id&blobtable=MungoBlobs&blobwhere=1193800512161&ssbinary=true&lid=3723833685B09
http://support.Microsoft.com/kb/889527/en-us
I have restart the RV082. What can I do else?
Thank you very much
Oliver
The problem was the NAT in the ADSL modem. I tryied changing the ADSL modem and the problem is solved.
Thank you
Oliver
-
Hello
I don't know what could be held, vpn users can ping to the outside and inside of the Cisco ASA interface but can not connect to servers or servers within the LAN ping.
is hell config please kindly and I would like to know what might happen.
hostname horse
domain evergreen.com
activate 2KFQnbNIdI.2KYOU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
ins-guard
!
interface GigabitEthernet0/0
LAN description
nameif inside
security-level 100
192.168.200.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description CONNECTION_TO_FREEMAN
nameif outside
security-level 0
IP 196.1.1.1 255.255.255.248
!
interface GigabitEthernet0/2
Description CONNECTION_TO_TIGHTMAN
nameif backup
security-level 0
IP 197.1.1.1 255.255.255.248
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
boot system Disk0: / asa844-1 - k8.bin
boot system Disk0: / asa707 - k8.bin
passive FTP mode
clock timezone WAT 1
DNS server-group DefaultDNS
domain green.com
network of the NETWORK_OBJ_192.168.2.0_25 object
Subnet 192.168.2.0 255.255.255.128
network of the NETWORK_OBJ_192.168.202.0_24 object
192.168.202.0 subnet 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.200.0 255.255.255.0
object-network 192.168.202.0 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
object-network 192.168.200.0 255.255.255.0
object-network 192.168.202.0 255.255.255.0
access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any
access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any
Access extensive list permits all ip a OUTSIDE_IN
gbnlvpntunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0
standard access list gbnlvpntunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0
gbnlvpntunnell_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0
standard access list gbnlvpntunnell_splitTunnelAcl allow 192.168.202.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
backup of MTU 1500
mask of local pool VPNPOOL 192.168.2.0 - 192.168.2.100 IP 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-645 - 206.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, backup) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, backup) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
!
network obj_any object
dynamic NAT interface (inside, backup)
Access-group interface inside INSIDE_OUT
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10
Route outside 0.0.0.0 0.0.0.0 197.1.1.2 254
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.200.0 255.255.255.0 inside
http 192.168.202.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 100
type echo protocol ipIcmpEcho 212.58.244.71 interface outside
Timeout 3000
frequency 5
monitor als 100 calendar life never start-time now
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
backup_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
backup of crypto backup_map interface card
Crypto ikev1 allow outside
Crypto ikev1 enable backup
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
!
track 10 rtr 100 accessibility
Telnet 192.168.200.0 255.255.255.0 inside
Telnet 192.168.202.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.202.0 255.255.255.0 inside
SSH 192.168.200.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 15
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal group vpntunnel strategy
Group vpntunnel policy attributes
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpntunnel_splitTunnelAcl
field default value green.com
internal vpntunnell group policy
attributes of the strategy of group vpntunnell
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list gbnlvpntunnell_splitTunnelAcl
field default value green.com
Green user name encrypted BoEFKkDtbnX5Uy1Q privilege 15 password
attributes of user name THE
VPN-group-policy gbnlvpn
tunnel-group vpntunnel type remote access
tunnel-group vpntunnel General attributes
address VPNPOOL pool
strategy-group-by default vpntunnel
tunnel-group vpntunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group vpntunnell remote access
tunnel-group vpntunnell General-attributes
address VPNPOOL2 pool
Group Policy - by default-vpntunnell
vpntunnell group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:7c1b1373bf2e2c56289b51b8dccaa565
Hello
1 - Please run these commands:
"crypto isakmp nat-traversal 30.
"crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 Road opposite value.
The main issue here is that you have two roads floating and outside it has a better than backup metric, that's why I added the command 'reverse-road '.
Please let me know.
Thank you.
-
The VPN client VPN connection behind other PIX PIX
I have the following problem:
I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).
So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5
I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.
Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.
If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:
305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x
194.x.x.x is our customer s address IP PIX
I understand that somewhere access list is missing, but I can not understand.
Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.
Can you please help me?
Thank you in advan
The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.
I've cut and pasted here for you to read, I think that the problem mentioned below:
Question:
Hi Glenn,.
Following is possible?
I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.
The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?
My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.
Thank you very much for any help provided in advance.
Response from Glenn:
First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:
fixup protocol esp-ike
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.
If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:
ISAKMP nat-traversal
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.
NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.
ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.
A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.
NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.
Hope that helps.
-
Connected to the Internet of VPN remote access VPN clients
Greetings,
I need to remote VPN clients to connect to the Internet from the same server VPN ASA
"client connects to ASA the external interface VPN tunnel can access Internet from the same external interface ASA new."
Thank you
you need to configure "same-security-traffic permit intra-interface" on the SAA.
Also, need to configure the relevant statements of nat for your range of pool of customers.
i.e.
Global 1 interface (outside)
NAT (outside) 1 access-list anyconnectacl
where anyconnectacl is the pool for your customers:
permit ip 172.16.1.0 access list anyconnectacl 255.255.255.0 any
-
IP address connection sets using the VPN Client
Hello world. I'm using a VPN Client when I establish a VPN Tunnel with a 1600 router, and I have a question.
Can I assign a fixed IP address in the client, instead the router send to random addresses from customer?
What I would he do this?
It would be in the configuration of the VPN client, or in the configuration of the router?
If so, I'm doing this?
Do I need another tool, or other software or hardware to do?
any help is hope...
Thank you...
Hello
I don't think that there is a simple way to do this.
However, if you create a different groupname for the user who needs a static IP address, I think you should be good to go
So what you need to do, create a new pool of addresses. Make the start and end ip address be the same (this is the address to which you want to assign to the VPN user)
Configure another ipsec on the router group and bind the new pool to this group
Ask your VPN client to connect to this group
Hope that helps
Jean Marc
-
Using Cisco VPN Client in Windows 7 Professional 64 bit
Hi all!
I need to use Cisco VPN Client to connect to my server in the company, because my company uses lotus notes Server, I have to connect Cisco VPN to access e-mail. But now my windows version is Windows 7 Pro 64 bits that cannot directly install this application, I already installed XP Mode and creatde shortcut to Windows 7, I plugged the Cisco VPN to my Cisco VPN server, but I can not access the server, Pls help me and show me how to solve this problemOpen the XP VM itself, do not use the shortcut that was published in
the W7 boot menu. You need to install Outlook / your email client
Inside the virtual machine, as well as on the side of W7. You can point to the same
PST files if you have local PST files, but you just can't open them in
at the same time of W7 and XP VM.There is no way to bridge using the shortcut of publishing app
Some people have reported success with the third party IPSec
replacements as customer universal shrew or the NCP. Your IT Department.
would like to know if these are supported:
> Hello all! I need to use Cisco VPN Client to connect to my server in the company, because my company uses lotus notes Server, I have to connect Cisco VPN to access e-mail. But now my windows version is Windows 7 Pro 64 bits that cannot directly install this application, I already installed XP Mode and creatde shortcut to Windows 7, I plugged the Cisco VPN to my Cisco VPN server, but I can not access the server, Pls help me and show me how to solve this problem
Barb Bowman www.digitalmediaphile.com -
Hello
Im trying to set up my friends firewall to accept connections vpn client software to remote sites. I applied a configuration to a previous case, I did, but this time, when the client tries to connect, it comes to the point of "Securing communications channel" and goes no further. Ive attached the configuration of the pix and some debug and show the result of the command.
Also, if I wanted to limit the remote client using only the port to a single server, how I would approach this? In my case, I don't want to give the customer access to a single server on the DMZ with the port 25.
Thank you.
To limit access to only specific server and client vpn port, follow these steps:
1 allow customer traffic ipsec should be handled by an acl applied to the external interface by running this command in global configuration mode:
No ipsec sysopt connection permit
2. add these statements to acl 2, which is applied to the external interface:
access-list 2 permit tcp 172.16.1.0 255.255.255.0 host x eq 25
Notes:
ACL 2 has an explicit deny ip everything no matter which line which should be removed and added back after all the acl changes are made, otherwise he would block want you want to allow.
You may need to enable vpn clients to connect to your dns or wins servers too, unless they will respond to your e-mail address in server ip instead of the host name.
Which version of the client vpn do you use and what OS it runs? You may need to add an isakmp policy which has a duration of less than 86400 seconds to get the client to connect.
Let me know what you find.
-
Using VPN Client coming out behind a PIX
As I understand it, a PIX can operate as a VPN endpoint for IPsec tunnels, or allow IPsec traffic to pass to the other endpoints behind him; My PIX is an end point, but there are a few users who wish to use the VPN Client to connect to outside points beyond the firewall.
Is it possible to configure a PIX to two pass through IPsec traffic AND be an endpoint?
On a related note, two customer software VPN hosts can connect to each other?
Thank you
Marc
My pix company does exactly what you posted, there is lan - lan vpn, and we again establish vpn to other companies via a software vpn client.
concerning the transmission of described video, it should not need additional acl or configuration assuming that there is no acl on the pix. a question must be noticed is that the other end (i.e. the end point of the remote vpn client) needs to nat-traversal since the local pix usually perform nat/pat.
However, the vpn directly between two clients is not feasible as its name suggests (they are the two client).
Maybe you are looking for
-
Update failed... could not be installed (applies the patch failed)-I use 7.0.1
Update failed. The update could not be installed (patch applies failed). He seems to want to upgrade 7.0.1 to 8. But when I click on the link, it does not offer updates, just all a band/reinstall! Where is the page of updates? Help?
-
HP Pavilion Slimline S5 - 1050d: Upgrade of RAM - single channel memory
-
H
-
Thr type hbitmap in the labview
Hello I had a Dll located in the internet. Now, I want to use "Call library function node" to get the data of this DLL. Unfortunately, I don't, t know how to set the "HBITMAP" without knowing the type of law in labview. the code of the DLL: extern "C
-
Feature 'measure' place 7840 Realsense camera does not
Recently, I received this tablet. The first time I tried to take some pictures with the camera 3D realsense and then open the pictures with the gallery app, I was able to use the device to measure the distance and it worked fine. Some time later, w