Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Connection from Cisco VPN Client 3 -> Cisco PIX 515 -> Win 2k Domain

Status
Not open for further replies.
Ummagumma

Ummagumma

Technical User
Jul 18, 2001
13
0
0
GB
I hope someone can point me in the right direction.

I have a Client PC's running Windows 98 / NT / 2K all running the Cisco VPN Client 3.0. I want them to connect to my Cisco PIX 515 O/S version 6.0.

Two questions :

Which ports do I need my ISP to open to allow the client VPN connection through ?

When I tested this by connecting a hub to the outside of the PIX and my client PC into the hub, I could get the VPN tunnel to come up but the the Windows Logon failed. I entered Username / Password / Domain and it said it could not find an authentication server. BUT I can ping both my domain controllers in my internal domain. AND they can ping me.

Do I need RRAS configured on the Active Directory ? If so is them at the User and via a policy ?

Thanks
Simon
 
Sort by date Sort by votes
I also have a PIX 515 with the 6.0 version and I have clients running Windows 98 and Windows 2000 who use the VPN 3.0 client to connect. The client operates using protocols 50 and 51 and udp port 500.

I am using a Windows 2000 Active Directory structure for the internal network as well. I ended up setting up Microsoft's Internet Authentication Serivce (IAS) as RADIUS servers and configured the pix to pass authentication requests to the IAS servers. There may be a better way to do this but I'm not sure.

Jason
 
Upvote 0 Downvote
I am new to VPN in case you have missed that !

As far as I can tell from the Client I have a VPN connection based on shared keys between the PIX and the Client. It confirms I have an encrypted tunnel between the two.

My problem arises when I am presented with the Microsoft Network Logon dialog box. I input a correct Username / Password / Domain and it fails.

How come it fails when I can ping the servers on the inside network. So I can see them ???

I understood that because I am using shared secrets I do not need an authentication server.

Question : What network are your clients and servers on. Mine are configured on different networks, servers 10.1.1.x and clients on 10.1.2.x ???

Thanks
Simon


 
Upvote 0 Downvote
You do need an AAA server to support vpn authentication through the firewall, even with the shared secret
 
Upvote 0 Downvote
I wasn't sure either if you could setup the vpn without user authentication, so I check on Cisco's site. According to the following article, Xauth is optional:
However, I would recommend configuring Xauth to authenticate against TACACS or RADIUS simply to provide a more secure enviornment. Without an authentication server, anyone who has a copy of the client and the config file could connect to your network. An AAA server provides an additional measure of security by requiring a valid userid and password.

Either way, my guess is that the original problem is not related to a tunnel not being established. If you can ping your internal servers and the packets are ping encrypted by the VPN client, then the tunnel is up. So I would then check to see if you have an access-list that prevents the traffic for the Logon screen to come up, i.e. your are blocking UDP 137 + 138 and/or TCP 139 from your VPN clients. It may also be a timing issue.
 
Upvote 0 Downvote
I just checked Cisco's site for bugs dealing with the VPN client. There appears to be at least on bug with the "Start before Logon" option where the domain controllers cannot be contacted. The bug id is CSCdu20804.

How are you starting the vpn client?

I haven't actually tried the "Start before logon" option because most of the files I need to reach are in a version control system. When I do need files off the file server, I just hit the file server and it prompts me for a username and password. (NOTE: This is from my home Windows 2000 Professional computer that is not part of the domain.)

Jason
 
Upvote 0 Downvote
i have cisco pix with vpn, where can i download vpn client ?
 
Upvote 0 Downvote
If you have a support contact with Cisco, you can download it from their website.

Bluecrack
 
Upvote 0 Downvote
1. To establish a connection between a Cisco VPN Client (please get version 3.1), you do not need secret keys. You need to setup a VPN group using the (config)#vpngroup MYGROUP command. Go to this url to see examples, which work in real life environments:
Don't mind that it says VPN Client 3000 (they're almost the same thing). Just follow the sample config to the 3.0 code.

The only time you need the secret key is when you're doing PIX-to-PIX, or PIX-to-VPN Concentrator, etc. connections.

David, MCSE, CCNA.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
146
intel233
intel233
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
105
MottoK
MottoK
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
51
WhosYourDiffie
WhosYourDiffie
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
156
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
120
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top