Question

Locked

Cisco Client connects to server but cannot ping VPN network.

By darkcape1 ·
A client of mine has set up a VPN connection for me through thier Cisco appliance (no idea what it is)

When I connect directly to the internet with my laptop the connection works without any issues at all. I can ping servers I can Remote desktop to them and am a part of thier happy network.

However when I get behind my 506e pix the Cisco VPN Client connects but I am not able to ping thier servers or do anything.

break down of what I can figure out.
My local network 192.168.4.x
Thier Cisco DHCP range for client is 10.0.0.0 255.0.0.0 (I ussually get something in the 10.10.10.x range)
Thier internal network is 172.16.200.x 255.255.255.0

I want to think that there might be something they need to configure on thier side to communicate with a NATed client but I can not figure that out.

or better yet if anyone knows a fixup I can put on my pix that I am missing.

Thanks to all that have some help to give.

my current Cisco PIX config is:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXX encrypted
passwd XXXX encrypted
hostname quick-external
domain-name internal.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.4.2 server1
access-list inside_access_in permit ip any any
access-list inside_access_in permit gre any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside ###.###.###.### 255.255.255.248
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 ###.###.###.### 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.4.100-192.168.4.150 inside
dhcpd dns ###.###.###.### ###.###.###.###
dhcpd lease 3600
dhcpd ping_timeout 750
username admin password XXXX encrypted privilege 15
terminal width 80
Cryptochecksum: 23
: end

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

I could be wrong but.....

by robo_dev In reply to Cisco Client connects to ...

you need to enable 'VPN passthru' on a NAT device, or IPSEC won't work.

ISAKMP Nat traversal command (OTOH, since you can authenticate, this may not be the issue)

Perhaps you need a static route from your 192. network to their 172. network?

Collapse -

exactly write answer. "isakmp nat-traversal"

by darkcape1 In reply to I could be wrong but.....

good Call Robo_dev. on the client side they were missing the entry "isakmp nat-traversal 20"

for thoose trouble shooting in the future the item that points to this exact failure is:

turn logging on to level 3 for all items (i'm sure there is a specific one but didn't dig that deep) you will see a line similar to these

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-t), VID(Frag), Vid(unity)) to (remote cisco)

Then a couple of lines later we get back

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, HASH, VID(unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from (remote Cisco)

if you do not get a VID(Nat-T) back then this is more then likely the fix. thanks again Robo_dev

Back to Networks Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums