Solved: Re: remote clients to 506e running PIX 6.3(5)

energyservices · ‎10-10-2007

I am pretty desperate for ideas at this point; I've spent almost a week on this and the VPN is still down.

The story unfolds: we just moved all network equipment from a shelving unit to a rack. Some cables may not have been plugged back into their original ports, but I?m about 99% certain all are plugged into the same devices.

There was an operational PPTP VPN setup, which does not work since the ?move?. The use was, windows VPN client connecting to Cisco 506e, which used Radius to authenticate them and then allowed them access to all resources on the LAN. The configuration (a backup from when it was working) is attached.

So, it stops working after the move; users can still connect, however they can?t see any network resources, is this an NAT issue?

I?ve tried to create a new VPN using the Cisco client and the Cisco PIX wizard, but have a similar problem after connecting; no access to system resources, any suggestions as to what could have happened?

acomiskey · ‎10-11-2007

Let's say your new pool is 192.168.5.0/24. You will need to update the following line to reflect the change.

access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

Also, if you want access to 192.168.1.0 or 192.168.3.0 you would also add...

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

View solution in original post

energyservices · ‎10-10-2007

hardware wise; I'll lay out the network.

wall --> Modem (dsl) --> in Cisco (Eth 0) | out Cisco (Eth 1) --> Dlink Gigabit switch (switch connected to two other switches, all LAN devices connected to these, or smaller switched connected to these switches)

acomiskey · ‎10-11-2007

What did your config look like when you tried setting up an ipsec vpn with the cisco client? Make sure you had "isakmp nat-traversal". One other thing I noticed is that the vpn pool should not be in the same subnet as any other inside subnet. You should make the pool outside the range of 192.168.2.0, 192.168.1.0, 192.168.3.0 etc. This doesn't necessarily explain why your pptp vpn stopped working but it will give you something to go on.

energyservices · ‎10-11-2007

thanks for the response acomiskey,

Ok, changing the VPN pool range seems to make sense. I moved if to a 'block' of assigned IPs and figured that would be enough. Will moving it off the 192.168.1.0-2.0-3.0 require any other commands to allow it access to the LAN objects, server, desktops, etc?

I'll also check for the isakmp nat-traversal once I go though the Cisco wizard (for Cisco clients).

Thanks again for the feedback,

~Noah

acomiskey · ‎10-11-2007

Let's say your new pool is 192.168.5.0/24. You will need to update the following line to reflect the change.

access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

Also, if you want access to 192.168.1.0 or 192.168.3.0 you would also add...

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

energyservices · ‎10-11-2007

i figured it would require something along those line, thanks again for the help, and the quick response!

~noah

energyservices · ‎10-15-2007

Thank you very much Acomiskey, solved the problems I was having. I hope you have a great week. Thanks again.