DComTalk.com

jsandlin0803 · Guest

I am having problems with my Cisco VPN setup. I can get some users
working fine, and into remote desktop. Others can connect to the
firewall, but cannot connect to Remote Desktop. They cannot ping the
server (192.168.0.2) either. I can ping the server on the machines that
can connect to Remote Desktop.

One problem i am having, is that in one office, one computer can
connect fine. But after a few minutes, that machine can no longer
connect to the server or ping it. The cisco vpn stays connected though.

I have the security level set to 2 (default) on each user.

Any ideas on why this is not working?

Thanks
Jason

Walter Roberson · Guest

In article <dnss5f$jgs$1$8302bc10@news.demon.co.uk>,
Martin Kayes <nospam@nospam.com> wrote:

[NAT-T, PIX]

jsandlin0803 · Guest

By the way, I have a PIX 515E/UR,

thanks
jason

Guest · Posted: Fri Dec 16, 2005 2:20 am Post subject: Re: Cisco VPN Clinet Problem...

1st I would check to see if the local computer is running windows
firewall. If it is running i would disable it. i would then check to
see if remote desktop is enabled. If it is enabled i would check to see
who has access to run remote desktop. you might want to create a
security group called remote desktop and place only the people you want
to have access. Hope this helps. Also what OS is running on the server
and on the desktops.

Martin Kayes · Guest

Hi Jason,

Am I correct in thinking that the users are grouped together in offices and
therefore using the same public IP address/es?

Regards,

Martin

"jsandlin0803" <jason.sandlin@wymtnews.com> wrote in message
news:1134672102.552760.249180@g47g2000cwa.googlegroups.com...

jsandlin0803 · Guest

The server is a Windows 2000 server. The clients all have Windows XP
Pro. I have had all of the clients on the server before we installed
the new PIX Firewall. I am just confused on why some people can get in,
and some cant. It may be something on their router/firewall (likely a
linksys or the like) that is not allowing the connection. I dont know
though, becuase nothing has changed on the client side. I have just set
up the PIX for VPN, and some work, and some dont. All of the users are
part of the same vpn group.

Please let me know if you have any more suggestions.

Thanks
Jason

jsandlin0803 · Guest

Also, the clients are being authenticated on the Firewall, not on the
Win2k server.

All of the users are set up the same on the pix, and in the same policy
group.

jsandlin0803 · Guest

Yes, that is correct. The users in the same office can connect for a
minute until another user tries to connect....

What is the deal?

Martin Kayes · Guest

The problem could well be that your router at the user site does not know
who the VPN protocols should belong to as it cannot differentiate between
different users. i.e. the IPSec protocols do not use ports and therefore
cannot be mapped to an internal user.

If you have recent PIX or IOS software acting as the VPN endpoint and the
users have one of the latest VPN Client releases then you could have a look
at using Nat Traversal on your concentrator device. This will use UDP
encapsulation for the IPSec traffic and the site router will know who the
packets belong to.

A PIX uses 'isakmp nat-traversal 20' to do this

and an IOS device later than 12.2(13)T will do it automatically, if not try
'crypto ipsec nat-transparency udp-encapsulation' to enable it.

You will need to make sure UDP 4500 is open in both directions too.

Let me know how it works out,

Martin

"jsandlin0803" <jason.sandlin@wymtnews.com> wrote in message
news:1134681155.636733.130990@g43g2000cwa.googlegroups.com...

jsandlin0803 · Guest

OK, if i understand right, i will do the following (it is a new PIX515E
with 7.0 installed)

add these lines

isakmp nat-traversal 20
crypto ipsec nat-transparency udp-encapsulation (if needed)
access-list 110 permit udp any host <public ip> eq 4500
static (inside2,outside) udp <public ip> 4500 <inside2 ip> 4500 netmask
255.255.255.255 0 0

Is this all that i need to add in order for this to start working?

Do i add the access list to the same as the vpn setup?

Thanks
Jason

Martin Kayes · Guest

Hi,

Almost, but the line 'crypto ipsec nat-transparency udp-encapsulation' is
only an option for an IOS router as I didn't know what device you were using
so you don't want it for the PIX.

You shouldn't need this line either as the PIX is the device that needs to
receive the UDP 4500 traffic. :
'static (inside2,outside) udp <public ip> 4500 <inside2 ip> 4500 netmask
255.255.255.255 0 0'

If access-list is the ACL controlling your inbound traffic from the Internet
then your line below should be ok.

Try just these two lines:

isakmp nat-traversal 20
access-list 110 permit udp any host <public ip> eq 4500

Regards,

Martin

"jsandlin0803" <jason.sandlin@wymtnews.com> wrote in message
news:1134684695.532402.248660@f14g2000cwb.googlegroups.com...

	DComTalk.com Forum Index -> Cisco	All times are GMT
Page 1 of 1