Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

3.5 vpn client, ms IAS, log in but no network - please help!

Status
Not open for further replies.
mst3k

mst3k

IS-IT--Management
Apr 29, 2002
41
US
Hi - I am trying to get my vpn working with microsoft IAS, and a pix 501. I've followed this doc to the letter:


From the vpn client, I can log in, then I get the windows login, that get's accepted, but I can't see anything on the network. Here's my config:

(note- the outside interface is 10.0.0.1, the pix is behind a router that forwards all traffic (our DSL service)

I've defined the dns and wins, what else do I need to do??

The domain name is dsfi, (active dir) and the client machine is windows xp and windows 2000.

TIA


Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password gNWsK4OF3A.jlaYA encrypted
passwd FOhS/iiJIb9ZMRWC encrypted
hostname grendel
domain-name dsfi.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol domain 53
names
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 10.0.0.1 eq ftp
access-list 100 permit tcp any host 10.0.0.1 eq www
access-list 100 permit tcp any host 10.0.0.1 eq smtp
access-list 100 permit tcp any host 10.0.0.1 eq pop3
access-list 100 permit tcp any host 10.0.0.1 eq 81
access-list 100 permit tcp any host 10.0.0.1 eq 1433
access-list 100 permit tcp any host 10.0.0.1 eq 443
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
logging on
logging history emergencies
logging host inside 10.0.0.9
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.1 255.255.255.0
ip address inside 10.0.0.2 255.255.254.0
ip verify reverse-path interface outside
ip audit info action drop
ip audit attack action alarm drop
ip local pool ippool 10.0.2.1-10.0.2.254
pdm location 10.0.0.35 255.255.255.255 inside
pdm location 10.0.0.9 255.255.255.255 inside
pdm location 10.0.0.8 255.255.255.255 inside
pdm location 10.0.0.11 255.255.255.255 inside
pdm location 10.0.1.9 255.255.255.255 inside
pdm location 24.73.39.237 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 10.0.0.11 ftp netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 255.255.255.255
0 0
static (inside,outside) tcp interface 433 10.0.0.11 433 netmask 255.255.255.255
0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 10.0.1.9 *****
timeout 5
http server enable
http 10.0.0.35 255.255.255.255 inside
tftp-server inside 10.0.0.35 /
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn-users idle-time 1800
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 10.0.0.10
vpngroup vpn3000 wins-server 10.0.0.10
vpngroup vpn3000 default-domain dsfi.net
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 10.0.0.35 255.255.255.255 inside
telnet timeout 10
ssh 10.0.0.35 255.255.255.255 inside
ssh timeout 5
terminal width 80
Cryptochecksum:c319b7937ba54af981e7381fe64b6eb7
: end
[OK]
 
Sort by date Sort by votes
I'm looking at a very similar problem, based on the same tech tip from cisco. In my case the VPN3000 example works, in that my customer can browse his internal network, but other VPN groups cannot. If you fix it I'd be interested to see what you did, I'll let you know how I get on.
 
Upvote 0 Downvote
What kind of internal ip structure do you have on the one that works? That's the only thing I can think of that's keeping mine from working correctly.
The vpn client logs in to the pix just fine, the pix talks to IAS, since I am getting the windows login. After that it just stops... Erg.
 
Upvote 0 Downvote
HI.

Look here:
ip address outside 10.0.0.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.0.0.100
So you have NAT/PAT on the router - so this is probably your main problem.
Your router isn't passing the esp protocol to the pix, or is it?

Try to connect the client directly to pix outside interface for the test.
This can help you troubleshooting.

You will need to use registered addresses on pix and disable NAT on the router to make things work.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
I have the same easily reproducible problem now. My set up has multiple pools and vpngroups, depending on which pool I select I can either browse or not the network.

Couple of point to check, are you getting the WINS and DNS server addresses assigned when you connect up the VPN?
I see them in winipcfg assigned correctly.

Also can you ping the VPN client assigned address, look at the status window on the client (right click the VPN icon on task bar) and from the network how far into your network can you ping?
Without knowing your internal address structure its difficult to guess what is going on, it may simply be routing. Try adding a static route pointing back to the client address pool and redistribute around the internal network.

 
Upvote 0 Downvote
I had the same problem and i fixed it by adding the following command

vpngroup vpn3000 split-tunnel 101
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
697
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
596
intel233
intel233
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
234
hairlessupportmonkey
hairlessupportmonkey
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
212
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
732
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top