Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN tunnel establishes, but no access to LAN

Status
Not open for further replies.
thommynix

thommynix

IS-IT--Management
May 12, 2003
1
DE
Hello,

I hope you can help with a problem I am working on since DAYS. I have to say I have knowledge about cisco routers, but don´t know much about cisco pix firewall or vpn.
Now the description of the problem:
It is possible to connect from a pc outside our company to the pix using cisco vpn client. A vpn tunnel is established. In the log of the vpn client there are is a warning-message: "received malformed message or negotiation no longer active". I don´t know if this leads to problem?
After vpn is established, the vpn client icon occurs on the task-bar.
But it is not possible to make a connection to our terminal-server or any pc´s inside the lan or the dmz. vpn clients get an ip-address from the pix. This works: It is possible to ping the vpn-client-pc from a pc inside the dmz.
In the statistics of the vpn client, there are two network entries: First is 0.0.0.0 with subnet 0.0.0.0, and the second one is our pix-outside-interface. The problem seems to be that all packets are sent to the first network (0.0.0.0), and none of them to the pix-outside-interface.
In the description of the vpn client, it´s the opposite: There all packets are sent to the pix-outside-interface. Is this the problem? The vpn-client sends the packets not the pix, is this the problem? And why does it not?
The vpn-connection worked till the administrator made changes to our domain (he is not a company member anymore, so I can´t ask him), I don´t know if there any changes in pix-configuration were made.

I hope anyone can give me a hint what the problem could be, or maybe the solution? This would be fantastic!

Thanks a lot in advance.

Thomas
 
Sort by date Sort by votes
HI.

The initial phases of VPN work over UDP port 500 (isakmp).
The actual traffic passes via ESP = IP protocol 50, which has problems going over NAT devices, or might be blocked by a remote firewall (client side - either software firewall or network device).

So, do some testing like:
Connect a different pc using dialup to the ISP, and with a VPN client try to connect. What happens now?
Ask the remote user to do the same (use dial-up connection).
Ask the remote user about his connection to the Internet - any NAT device? Software firewall on PC? Network firewall at the office?

You should also check with syslog messages at the pix for toubleshooting. Do you get any relevant messages?

Read on:

> In the statistics of the vpn client, there are two network entries: First is 0.0.0.0 with subnet 0.0.0.0,
...
This is normal because you don't use "split-tunnel".
If you wish, you can configure "split-tunnel" at the pix.

Please also provide more info, partial config, version info, etc...

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
773
Sameer258
Sameer258
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
785
Shmid
Shmid
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
641
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
640
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
229
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top