VPN Client 3.51 to PIX 515 6.1.2

asafayan · ‎03-13-2002

I have configured this remote VPN solution per CCO article: http://www.cisco.com/warp/customer/110/pix3000.html

The client connects and establishs the secure channel and gets assigned the first address in my pool configured on the PIX. But I cannot ping any resources on the internal network.

I am familiar with VPN Client to VPN Concentrator configuration. On the VPN concentrator you configure authentication via local database OR NT Domain OR RADIUS server. My question is...where does the PIX tell the client how to authenticate?

When the VPN client connects to the PIX, I am not prompted to authenticate. Yet my debug crypto isakmp sa and debug crypto ipsec sa shows correct tunnel establishment and the client is assigned a pool address. I will add that the network on the LAN or INSIDE interface of the PIX is running in WORKGROUP mode, not a DOMAIN and there is not WINS server configured in the WORKGROUP. But regardless of whether I am properly resolving NetBIOS names, I can't even establish PING reachability from the VPN client to LAN or INSIDE resources.

r-remien · ‎03-13-2002

2 things to check.

1. Make sure your IP local pool statement does not contain ip addresses in the same subnet as your inside LAN. The PIX will interpret this as spoofing.

2. You need to allow icmp out of your inside LAN.

Example:

Inside subnet = 10.1.1.0

VPN client subnet = 192.168.1.0

inside interface access-list name = outbound

Add to Pix

access-list outbound permit icmp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

You can use local authentication on the PIX or radius authentication (via IAS on Win2k) on your inside LAN. Add aaa and aaa-server to the PIX config.

HTH

RJ

smartnet_cisco · ‎04-23-2002

You must configure a vpngroup.

Example:

vpngroup john password john

Then make the changes in the Client Authentication Tab!

Greetings Maik