Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
2
Replies

Can't access resources off of some intf on Pix VPN with W2k/XP MPPTP client

OVHD IS Dept.
Level 1
Level 1

‎05-22-2003 10:51 AM - edited ‎02-21-2020 12:33 PM

I'm trying to get a VPN working, am able to connect to it using XP/W2k (w/o Cisco VPN client -- just Windows VPN). I can access resources from some interfaces but not others. The following is an example of the log message when I try to access a "blocked" resource:

2003-05-22 10:40:46 Local0.Error <pix IP> May 22 2003 10:23:28: %PIX-3-106010: Deny inbound tcp src outside:<VPN client addr>/1106 dst RemoteConnections:<dest addr>/23

I'm used to trouble-shooting the error messages when they have an ACL, but this doesn't list one -- it doesn't list what's denying it. I looked the error code up on Cisco's website and it just said that it was denied due to the security policy in place. I added

permit ip any <VPN client IP net> <VPN client IP mask>

and

permit ip <VPN client IP net> <VPN client IP mask> any

to all of the interfaces on the Pix but it just didn't make a difference!

It seems that some interfaces I can access with the client just fine, but others are completely blocked (like the one denied log msg above). I can't access the internet or any resources on the Outside interface either (like pinging 4.2.2.2 or even my gateway router). When I do try, I get the following:

2003-05-22 10:38:18 Local0.Info <Pix IP> May 22 2003 10:20:59: %PIX-6-110001: No route to 4.2.2.2 from <VPN Client IP>

Accessing resources off of the Inside interface is just fine. There are two (Outside and another interface) that I can't access resources through.

Any help you could offer would be more than appreciated!

Thank you in advance,

Tim Clegg

Labels:
0 Helpful
2 Replies 2

jbohla
Level 1
Level 1

‎06-05-2003 06:55 AM

Have you checked the bug tool kit for any known issues between VPN client software and W2k/XP??

0 Helpful

OVHD IS Dept.
Level 1
Level 1
In response to jbohla

‎06-05-2003 07:13 AM

I gave up and opened a TAC case for this issue after not getting any reply. My syslog server was showing that packets from the VPN client were being denied by the Pix, but without any access list specified. It turns out that I'd omitted a couple of static entries for the VPN client IP address subnet. After adding in the needed static entries to all of the interfaces/subnets the clients would need to access, it worked!

The other issue I was experiencing is not being able to access the Internet through the VPN (without using split-tunneling). To have Internet access, I would need to setup a different interface that would be handling the VPN connections (currently the same interface serves Internet access and VPN connections).

Thank you for your response!

Have a good day,

Tim Clegg

0 Helpful
Customers Also Viewed These Support Documents