VPN Client cannot connect Server, strange!!

[JackyZhang]

This PC which installed VPN Client can establish connection with PIX501, and get ip address from PIX501, but can not connect to the server behind PIX501, it is right now in Ottawa with Sympatico HSE.
But same PC, we put it in Toronto, test VPN connectivity with direction to PIX501, everything works fine, there is no problem. Even we test with another PC in Toronto to connect to this PIX501, there is no problem.

Only we put that pc to Ottawa, and use sympatico HSE, then that pc can not connect to the server behind Pix501 with VPN client.

 

[yizhar]

HI.

How does the PC connect to the Internet at each place -
dial up/adsl/cable ...?
Is it connecting to ISP directly or using an office Internet connection with local firewall and/or router?
Is it the same ISP in each location?

Check with the ISP if they are blocking ESP protocol.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[JackyZhang]

That PC connect to internet through DSL/Cable Router, it is DSL.
It should be the same company, because all of them are belong to Bell.
I call Bell in Ottawa, they ask us if we can access internet, if we can retrieve email, we say "yes", then they tell us that there is nothing relative with them, they said it is CISCO's problem. But before we call bell, we already call CISCO, and they login in to PIX firewall for testing, and then tell us, all configuration is ok, no problem.
So I don't know who can help us.....

 

[yizhar]

HI.

Try the SETMTU utility (Start - Program - Cisco VPN ...) at the client, set a value of 1400 or lower.

What IP address is the PC getting from ISP - internal or a registered IP address?

Is there a NAT device, a filtering router or firewall on the way?

Can the client and the pix ping each other?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[JackyZhang]

Right now the environment is as blow:
PC--DSLRouter--DSLModem---(internet)--CISCO 827 ADSL router--PIX501(NAT&VPN)--Server

PC connect to internet with Dynamic IP
PIX connect to Internet with Static IP
PC can ping the ip address of Outside NIC of PIX
PIX can ping the ip address of Outside NIC of DSLrouter

With same device, I test them with following connectivity:
PC--DSLRouter(NAT)--Hub--PIX501(NAT&VPN)--Server
Everything works just fine, no problem.

 

[yizhar]

HI.

Standard IPSec will not work via PAT, because PAT supports TCP and UDP but not other IP protocols like IPSec (unless special engine is handling this).

I don't know how exactly it worked in your lab, but I still think that this is the issue here.

You have several options, here are some, but you may find other options also:

* Use PPTP - Several PAT/NAT devices currently support PPTP traffic as well so it may work for you, but only after you try you can know.

* Use another VPN server device, like MS RRAS, Cisco 3xxx VPN products, or many many other options. Cisco VPN server supports IPSec over TCP or UDP so this can solve it. MS supports PPTP that might also bypass the problems.

* Instruct the VPN client user, to use modem dial up connection whenever the broadband connection does not work with VPN.

* If the remote office in Ottawa belongs to the same company, you might find it reasonable to switch their Internet connection to a connection with static registered ip addresses and a pix, similar to the configuration at your side.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar