DComTalk.com

I am having problems with my Cisco VPN setup. I can get some users
working fine, and into remote desktop. Others can connect to the
firewall, but cannot connect to Remote Desktop. They cannot ping the
server (192.168.0.2) either. I can ping the server on the machines that
can connect to Remote Desktop.


One problem i am having, is that in one office, one computer can
connect fine. But after a few minutes, that machine can no longer
connect to the server or ping it. The cisco vpn stays connected though.

I have the security level set to 2 (default) on each user.

Any ideas on why this is not working?


Thanks
Jason

In article <dnss5f$jgs$1$8302bc10@news.demon.co.uk>,
Martin Kayes <nospam@nospam.com> wrote:

[NAT-T, PIX]

Try just these two lines:

isakmp nat-traversal 20
access-list 110 permit udp any host <public ip> eq 4500

If the PIX is the VPN termination point, then only the first line,
isakmp nat-traversal 20
is needed.

If you are trying to make a connection through a PIX to a VPN termination
point that is internal, then if that server has a public IP that
is not shared with any other machine:

: the static is needed for each of these cases

static (inside,outside) ServerPublicIP ServerPrivateIP netmask 255.255.255.255

: pptp, if that's what the internal server is handling
access-list 110 permit gre any host ServerPublicIP
access-list 110 permit udp any host ServerPublicIP eq 1723
: l2tp, if that's what the internal server is handling
access-list 110 permit udp any host ServerPublicIP eq 1701

If the internal server is handling IPSec:

: ipsec, AH enabled and ServerPublicIP is the same as ServerPrivateIP
access-list 110 permit udp any host ServerPublicIP eq 500
access-list 110 permit esp any host ServerPublicIP
access-list 110 permit ah any host ServerPublicIP

OR

: ipsec, AH not enabled. ServerPublicIP does not need to be the same
: as ServerPrivateIP
access-list 110 permit udp any host ServerPublicIP eq 500
access-list 110 permit esp any host ServerPublicIP

OR

: ipsec. AH can be enabled or not. ServerPublicIP does not need to be
: the same as ServerPrivateIP
isakmp nat-traversal 20
access-list 110 permit udp any host ServerPublicIP eq 500
access-list 110 permit udp any host ServerPublicIP eq 4500


It does not hurt to combine these IPSec cases, into:

isakmp nat-traversal 20
access-list 110 permit udp any host ServerPublicIP eq 500
access-list 110 permit udp any host ServerPublicIP eq 4500
access-list 110 permit esp any host ServerPublicIP
access-list 110 permit ah any host ServerPublicIP


If you are trying to make a connection through a PIX to a VPN termination
point that is internal, and if that server has a public IP that
is shared with any other machine, such as the outside interface of
the PIX, you set things up differently. The below is written
assuming that you are using the public IP of the PIX itself.

If you are using a different public IP for the server, but still shared with
other machines, then in each 'static' command, for the word
'interface', substitute the public IP, and
in each acl entry, in place of 'interface outside', substitute
'host' followed by the shared public IP:

(Note: PIX 6.x syntax; the port forwarding might be different in 7.0)

: if pptp is what the internal server handles
static (inside, outside) udp interface 1723 ServerPrivateIP 1723 netmask 255.255.255.255
access-list 110 permit udp any interface outside eq 1723 netmask 255.255.255.255

: if l2tp is what the internal server handles
static (inside,outside) udp interface 1701 ServerPrivateIP 1701
access-list 110 permit udp any interface outside eq 1701

: if IPSec is what the internal server handles:

isakmp nat-traversal 20
static (inside,outside) udp interface 500 ServerPrivateIP 500 netmask 255.255.255.255
static (inside,outside) udp interface 4500 ServerPrivateIP 4500 netmask 255.255.255.255
access-list 110 permit udp any interface outside eq 500
access-list 110 permit udp any interface outside eq 4500


An example of not using the PIX outside interface as the public IP
for the server:

: if l2tp is what the internal server handles
static (inside,outside) udp ServerPublicIP 1701 ServerPrivateIP 1701 netmask 255.255.255.255
access-list 110 permit udp any host ServerPublicIP eq 1701

--
Programming is what happens while you're busy making other plans.

By the way, I have a PIX 515E/UR,


thanks
jason

1st I would check to see if the local computer is running windows
firewall. If it is running i would disable it. i would then check to
see if remote desktop is enabled. If it is enabled i would check to see
who has access to run remote desktop. you might want to create a
security group called remote desktop and place only the people you want
to have access. Hope this helps. Also what OS is running on the server
and on the desktops.

Hi Jason,

Am I correct in thinking that the users are grouped together in offices and
therefore using the same public IP address/es?

Regards,

Martin

"jsandlin0803" <jason.sandlin@wymtnews.com> wrote in message
news:1134672102.552760.249180@g47g2000cwa.googlegroups.com...

I am having problems with my Cisco VPN setup. I can get some users
working fine, and into remote desktop. Others can connect to the
firewall, but cannot connect to Remote Desktop. They cannot ping the
server (192.168.0.2) either. I can ping the server on the machines that
can connect to Remote Desktop.


One problem i am having, is that in one office, one computer can
connect fine. But after a few minutes, that machine can no longer
connect to the server or ping it. The cisco vpn stays connected though.

I have the security level set to 2 (default) on each user.

Any ideas on why this is not working?


Thanks
Jason

The server is a Windows 2000 server. The clients all have Windows XP
Pro. I have had all of the clients on the server before we installed
the new PIX Firewall. I am just confused on why some people can get in,
and some cant. It may be something on their router/firewall (likely a
linksys or the like) that is not allowing the connection. I dont know
though, becuase nothing has changed on the client side. I have just set
up the PIX for VPN, and some work, and some dont. All of the users are
part of the same vpn group.

Please let me know if you have any more suggestions.

Thanks
Jason

Also, the clients are being authenticated on the Firewall, not on the
Win2k server.

All of the users are set up the same on the pix, and in the same policy
group.

Yes, that is correct. The users in the same office can connect for a
minute until another user tries to connect....

What is the deal?

The problem could well be that your router at the user site does not know
who the VPN protocols should belong to as it cannot differentiate between
different users. i.e. the IPSec protocols do not use ports and therefore
cannot be mapped to an internal user.

If you have recent PIX or IOS software acting as the VPN endpoint and the
users have one of the latest VPN Client releases then you could have a look
at using Nat Traversal on your concentrator device. This will use UDP
encapsulation for the IPSec traffic and the site router will know who the
packets belong to.

A PIX uses 'isakmp nat-traversal 20' to do this

and an IOS device later than 12.2(13)T will do it automatically, if not try
'crypto ipsec nat-transparency udp-encapsulation' to enable it.

You will need to make sure UDP 4500 is open in both directions too.

Let me know how it works out,

Martin



"jsandlin0803" <jason.sandlin@wymtnews.com> wrote in message
news:1134681155.636733.130990@g43g2000cwa.googlegroups.com...

Yes, that is correct. The users in the same office can connect for a
minute until another user tries to connect....

What is the deal?

OK, if i understand right, i will do the following (it is a new PIX515E
with 7.0 installed)


add these lines

isakmp nat-traversal 20
crypto ipsec nat-transparency udp-encapsulation (if needed)
access-list 110 permit udp any host <public ip> eq 4500
static (inside2,outside) udp <public ip> 4500 <inside2 ip> 4500 netmask
255.255.255.255 0 0


Is this all that i need to add in order for this to start working?

Do i add the access list to the same as the vpn setup?

Thanks
Jason

Hi,

Almost, but the line 'crypto ipsec nat-transparency udp-encapsulation' is
only an option for an IOS router as I didn't know what device you were using
so you don't want it for the PIX.

You shouldn't need this line either as the PIX is the device that needs to
receive the UDP 4500 traffic. :
'static (inside2,outside) udp <public ip> 4500 <inside2 ip> 4500 netmask
255.255.255.255 0 0'

If access-list is the ACL controlling your inbound traffic from the Internet
then your line below should be ok.

Try just these two lines:

isakmp nat-traversal 20
access-list 110 permit udp any host <public ip> eq 4500

Regards,

Martin

"jsandlin0803" <jason.sandlin@wymtnews.com> wrote in message
news:1134684695.532402.248660@f14g2000cwb.googlegroups.com...

OK, if i understand right, i will do the following (it is a new PIX515E
with 7.0 installed)


add these lines

isakmp nat-traversal 20
crypto ipsec nat-transparency udp-encapsulation (if needed)
access-list 110 permit udp any host <public ip> eq 4500
static (inside2,outside) udp <public ip> 4500 <inside2 ip> 4500 netmask
255.255.255.255 0 0


Is this all that i need to add in order for this to start working?

Do i add the access list to the same as the vpn setup?

Thanks
Jason