errors when vpn connection starts

[edg24]

We use a PIX515 to allow users to connect to our internal network from home using a VPN connection. Each time a user start a VPN connection, lots of error messages appears on the Syslog. Here are some errors from the syslog. Any idea??

192.168.10.x are the IP addresses dynamically given to the VPN clients through a local DHCP pool (W2K) the other IP addresses are on the web.

Apr 09 13:44:52 10.203.24.3 Apr 09 2002 12:41:48: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:80.200.133.49/1214 dst outside:194.51.118.134/62512

Apr 09 13:44:52 10.203.24.3 Apr 09 2002 12:41:48: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:192.168.10.2/2267 dst outside:216.200.241.66/80

Apr 09 13:44:52 10.203.24.3 Apr 09 2002 12:41:48: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:192.168.10.2/2268 dst outside:216.200.241.66/80

Apr 09 13:45:13 10.203.24.3 Apr 09 2002 12:42:09: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:192.168.10.2/2270 dst outside:216.200.241.66/80

Apr 09 13:48:12 10.203.24.3 Apr 09 2002 12:45:09: %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.10.2/2271 dst outside:195.238.2.21/53

Apr 09 13:48:14 10.203.24.3 Apr 09 2002 12:45:11: %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.10.2/2271 dst outside:195.238.2.21/53

Apr 09 13:48:16 10.203.24.3 Apr 09 2002 12:45:13: %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.10.2/2271 dst outside:195.238.2.21/53

Apr 09 13:48:20 10.203.24.3 Apr 09 2002 12:45:17: %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.10.2/2271 dst outside:195.238.2.21/53

Apr 09 13:48:24 10.203.24.3 Apr 09 2002 12:45:20: %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.10.2/2274 dst outside:195.238.2.21/53

Apr 09 13:48:31 10.203.24.3 Apr 09 2002 12:45:28: %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.10.2/2274 dst outside:195.238.2.21/53

Apr 09 13:48:33 10.203.24.3 Apr 09 2002 12:45:30: %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.10.2/2274 dst outside:195.238.2.21/53

Apr 09 13:48:34 10.203.24.3 Apr 09 2002 12:45:30: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:192.168.10.2/2273 dst outside:206.184.151.217/80

 

[yizhar]

HI.

Seems like the VPN client is trying to get out to the Internet via the VPN tunnel.
This can be solved with proper split-tunnel configuration and latest vpn client software.

What is the pix version?
What is the vpn client software and version?
What is the vpn configuration, mainly are you using IPSEC or PPTP?

Read here about the "vpngroup" command with the "split-tunnel" option:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/tz.htm#xtocid10

Take a close look the pix sample VPN configuration samples and guides:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix

http://www.cisco.com/warp/public/110/pix3000.html

http://www.cisco.com/warp/public/471/top_issues/vpn/pixvpn_index.shtml

You can also generate a simple sample configuration using pixcript:

http://teachers.sivan.co.il/yizhar#pixcript

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[edg24]

You'r right Yizhar. The VPN client is trying to reach some servers on the Internet.
PIX version is 6.11, VPN client is W2K(PPTP)
Here is the PIX VPN Conf.
access-list 80 permit ip 10.203.24.0 255.255.255.0 192.168.10.0 255.255.255.0
ip local pool pptp-pool 192.168.10.1-192.168.10.50
nat (inside) 0 access-list 80
sysopt connection permit-pptp
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 10.203.24.6
vpdn group 1 client authentication aaa AUTH
vpdn group 1 pptp echo 60
vpdn enable outside

Any Idea ??

Thanks

Edgard

 

[yizhar]

HI.

I suggest that you switch to the unified IPSEC VPN client.
This requiers the software (ask your dealer) , reconfiguration at the pix, and client installation.

However if client machines are behind another NAT like some ADSL implementations it could poss problems.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Guest_imported]

I am trying to setup a PIX520 to accept W2k and XP VPN-connections directly through the PIX, (no other server involved.)
With the following config. the tunnel goes up but the clients has no rights to any servers on the inside:

access-list 106 permit ip 111.11.11.1 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool pptp-pool 192.168.1.1-192.168.1.50
nat (inside) 0 access-list 106
sysopt connection permit-pptp
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username user1 password password1

where 111.11.11.1 is my internal IP-range.
The VPN-clients have various IP-adresses but what I can understand so are they translated to the pptp-pool, or?

 

[yizhar]

HI.

You are using wrong ip addressing values.
If you need access from VPN to the whole 11.1.1.0 subnet, then:

Change this line:
access-list 106 permit ip 111.11.11.1 255.255.255.0 192.168.1.0 255.255.255.0

To this (note the zero):
access-list 106 permit ip 111.11.11.0 255.255.255.0 192.168.1.0 255.255.255.0


In addition, use syslog messages to troubleshoot:
logging on
logging buffer 4
show log

etc...

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar