Cisco VPN

[joeddali]

Sorry for the crosspost ...

I work with an engineer who can't make private LAN to LAN VPN work.

We have the Cisco 3000 VPN concentrator and PIX 501 configured with a 2500.

I can do this easily with a Windows 2000 VPN server.

Why can't he make it work?

Why do clients need static IP and can't use a 192.168.1.1 to VPN in with the Cisco?

Thanks

 

[trailman73]

Hmmm...how is he trying to build the tunnel? preshared keys? radius? give me a little more info on what he is trying to do, and I can help better.

Geoff

 

[joeddali]

Thanx Geoff ... just a very basic VPN setup with the above mentioned hardware. No RADIUS, no keys.

It works great if you have a static IP on a dial up.

If you are behind a firewall, it does not work.

Wish I could give you more info buts its pretty much vanilla VPN.

Thanks

 

[trailman73]

Okay, so you have a remote office; or are you trying to do a VPN in the same building for securing an accounting department or something? If you have a remote office with a DSL or T1 connection it is very simple. Or are these home users connecting individually?

Geoff

 

[joeddali]

Users who have cable modems remotely and have a NAT address of 192.168.1.xxx cannot use the Cisco Windows VPN client to VPN in.

Users who have an assigned static public IP address, can.

That is my problem.

 

[bubarooni]

I am getting ready to try the same thing with two 1750's. My setup has a 1750 at one site and a PIX 506 and 1750 at the other so it sounds similar to your setup. My PIX sits in front of the 1750 at the second site.

According to a Cisco rep I will have to create an access-list or conduit on the PIX to allow ESP and UDP 500 through. He said the rest of the config would be pretty much the same as any other lan to lan.

I don't know if that will help you or not but, if it does, post back the way you did it. It may really help me out next week!

 

[rsivanandan]

Hi Joeddali,

Assuming that users are connecting to the VPN Concentrator with Windows VPN client, there are options for using CLIENT ip address. You can configure the Concentrator to use Client ip address or Server assigned ip address. Now You said that the clients with static ip can talk, right? Then see the configurations for the ip assignment. You also need to explain about the NATTed address of 192.. range, is your DHCP giving this or the concentrator?

If you have PIX in between of them, then you need to open the ports and protocols to pass through. For example, you are using IPSEC, then protocols AH (51) and ESP (50) need to be opened and also the port UDP 500.

Hi Bubarooni,

Hope this helps you too.. Not only the UDP ports but remember the protocols also as;

Access-list 100 permit ah any any
Access-list 100 permit esp any any
Access-list 100 permit udp any any eq isakmp (UDP 500)

Cheers,
Rajesh

 

[Rucus1]

If I understand your problem you are saying that users with cable modems running NAT/PAT cant connect in. I am assuming you are useing the cisco easy vpn client and ESP + 3DES. If this is the case its because your concentrator doesnt support transparent tunneling. I know only the very latest IOS version support transparent tunneling and im not sure on the 3000 series what version software supports it. You may want to look into a software upgrade.

 

[abauche]

Hello bubarooni (TechnicalUser) i am going to setup a VPN exactly the same as yours but i have some questions to ask you can i contact you by email ??