topic Re: Vpn client can'e encrypt packet,VPN up, but no access to ins in Network Security

Vpn client can'e encrypt packet,VPN up, but no access to inside resources

daniele.bertolotti — Mon, 11 Mar 2019 09:07:51 GMT

at the beginning, i'm sorry for my long message.

i've read here more post about my trouble...but still not foun any solution.

My problem is about a VPN IPSEC TUNNEL on cisco pix 515e

device.

The pix OS version is 7.0.6.

my win xp client have sp2 installed, and try to make vpn tunnel with IPSEC via cisco client 4.6.00.0049

The strange behavior is:

XP client with Cisco VPN client authenticate itself but can't ping any host of the remote lan.

Pix is configured with:

PAT on outside interface

and PAT on DMZ interface.

no nat acl for exclude packet sourced from inside network and destinated to vpn pool address.

(this acl haven't any matched when tunnel is up and running)

split tunnel acl for inside lan.

when i make IPSEC vpn up, and check it via sh crypto ipsec sa i found tunnel active.

when i make sh access-list to check if acl are matched, i found only crypto_dyn20_ acl matched.

nonat acl and splittunnel acl are zero matched.

if i try to ping from client some host on inside network,

nothing appears on stats page on the vpn client.

if i ping from pix to vpn client i see decrypted packet on stats page on client.

no encryption appears to be done on client.

if i try to traceroute from xp client any inside network host, stars appears from first hop..

on my pix i've enabled ipsec-over tcp and

nat-t

where is my mistake?

please help me!

i'm going crazy!!

i attach my pix config.

thanks a lot .

Daniele

Re: Vpn client can'e encrypt packet,VPN up, but no access to ins

zulqurnain — Tue, 12 Dec 2006 16:12:55 GMT

do you think it's possible to post the debug output from following

debug crypto ipsec

debug crypto isakmp

Re: Vpn client can'e encrypt packet,VPN up, but no access to ins

daniele.bertolotti — Tue, 12 Dec 2006 17:58:10 GMT

sorry, but when i start vpn client, I can't see any output on debug!

i make:

term mon

debug crypto ipsec 255

debug crypto isakmp 255

and after:

try to connect, establishing connection, and pinging..

but on pix no output!

BUT after

sh crypto ipsec sa

on pix i have this output:

-----

see attachment!

-----

thanks a lot

Daniele

Re: Vpn client can'e encrypt packet,VPN up, but no access to ins

daniele.bertolotti — Wed, 13 Dec 2006 15:25:59 GMT

i haven't found solutions..

someone can help me?

thanks a lot to evrybody

daniele

Re: Vpn client can'e encrypt packet,VPN up, but no access to ins

daniele.bertolotti — Wed, 13 Dec 2006 16:04:01 GMT

maybe solved!

client versioning problem.

with last version of cisco vpn client (4.8) evrything working well...

thanks a lot

Re: Vpn client can'e encrypt packet,VPN up, but no access to ins

daniele.bertolotti — Thu, 14 Dec 2006 01:07:48 GMT

false!

isn't a client problem, but ip addressing problem.

if xp client is behind nat, nothing work.

if xp client has a public ip, no nat, evry thing workin' correcty..also linux via vpnc .. 🙂

obvioulsy pix has:

nat-t enabled via isakmp nat-traversal 20

command in global configuration, and also

ipsec-over-tcp 10000...

any ideas?

big trouble..

cheers

daniele