|
|
| Author |
Message |
Rolando Barberis
Guest
|
 Posted: Tue Apr 25, 2006 1:30 am Post subject: Client VPN to PIX 501 |
 |
|
I have setup a PIX 501 for client VPN access and have successfully
connected to it and can access the internal LAN. To connect I am using
the Cisco VPN client (IPSec). However I am having issues where I cant
connect to the VPN site from certain internet connections. From these
very sites I am able to connect to other VPN sites but not this one
site in particular. Can anyone offer any suggestions as to why I would
be able to connect to a VPN site and not another from the same internet
connection.
Thanks
Rolando |
|
| Back to top |
|
 |
|
|
rave
Guest
|
| Posted: Tue Apr 25, 2006 2:22 am Post subject: Re: Client VPN to PIX 501 |
|
|
can you please give us some moe details about the same.
can be many things like port blockage, policies not matching etc. |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted: Tue Apr 25, 2006 3:22 am Post subject: Re: Client VPN to PIX 501 |
|
|
In article <1145914231.332986.39350@j33g2000cwa.googlegroups.com>,
Rolando Barberis <rbarberis@gmail.com> wrote:
| Quote: | I have setup a PIX 501 for client VPN access and have successfully
connected to it and can access the internal LAN. To connect I am using
the Cisco VPN client (IPSec). However I am having issues where I cant
connect to the VPN site from certain internet connections. From these
very sites I am able to connect to other VPN sites but not this one
site in particular. Can anyone offer any suggestions as to why I would
be able to connect to a VPN site and not another from the same internet
connection.
|
If the sites are behind NAT and you have not set up your PIX 501 with
isakmp nat-traversal 20
and if the other sites -have- turned that on [or the equivilent],
then you would be able to connect to those other sites but not to the 501. |
|
| Back to top |
|
|
Rolando
Guest
|
| Posted: Tue Apr 25, 2006 3:50 pm Post subject: Re: Client VPN to PIX 501 |
|
|
To further clarify the config and the behavior......
| Quote: | From Internet Connection A - Client connects and authenticates and can
access resources on Site 1 and Site 2. |
VPN Site 1 (501) network 10.1.1.x
VPN Site 2 (501) network 172.1.1.x
| Quote: | From Internet Connection B - Client connects and authenticates to
Site 2 and can access resources, however it can connect and |
authenticate to Site 1 however we cant ping or access any of the
resources on the 10.1.1.x network.
Any suggestions appreciated. |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted: Tue Apr 25, 2006 4:50 pm Post subject: Re: Client VPN to PIX 501 |
|
|
In article <1145980104.074875.104220@t31g2000cwb.googlegroups.com>,
Rolando <rbarberis@gmail.com> wrote:
| Quote: | To further clarify the config and the behavior......
VPN Site 1 (501) network 10.1.1.x
From Internet Connection B - Client connects and authenticates to
Site 2 and can access resources, however it can connect and
authenticate to Site 1 however we cant ping or access any of the
resources on the 10.1.1.x network.
|
Is nat traversal turned on?
Is split tunneling turned on?
Does the internal IP address range at Connection B happen to be in
the 10/8 network? If so, are you using the 'mask' parameter on
the ip pool definition on the PIX ? |
|
| Back to top |
|
|
Rolando
Guest
|
| Posted: Wed Apr 26, 2006 1:50 pm Post subject: Re: Client VPN to PIX 501 |
|
|
Do you know how to set the mask on the IP pool, it does not show mask
as a parameter on the address pool statement. When the client connects
it is being handed a 255.0.0.0 mask. I believe this is the issue since
I can connect from a 192 network but not a 10 network. Does anyone know
how to set the mask that is handed to the client on the PIX?
Thanks |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted: Wed Apr 26, 2006 4:50 pm Post subject: Re: Client VPN to PIX 501 |
|
|
In article <1146056967.449532.108950@i40g2000cwc.googlegroups.com>,
Rolando <rbarberis@gmail.com> wrote:
| Quote: | Do you know how to set the mask on the IP pool, it does not show mask
as a parameter on the address pool statement.
|
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027172
If you are running PIX 6.2 then you would need to upgrade in order
to get this feature. |
|
| Back to top |
|
|
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Private messages
Log in
