Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1071
Views
0
Helpful
12
Replies

Can't get vpn client to work with vpn router - Please help...

f.yeoh
Level 1
Level 1

‎01-12-2005 02:10 AM

Hello Everybody...

This is the first time I'm using this. Appreciate if anyone can help. Thanks..

Objective: Logon to Intranet to access LAN servers from home. This is a temporary solution until my 3015 concentrator arrived.

I setup my Cisco vpn client(ver 4.6) to connect to a vpn router(2621). I followed the setup instruction in the web site but can't ping my servers no matter how I try.

I'm able to logon to the vpn router and get authenticated with the configured Radius server. I'm able to obtain the IP address, DNS, and WINS IP issued by the vpn router. I'm also able to ping the vpn router gateway(inside interface) and the LAN router interface IP(same subnet). But somehow I just can't ping any of the LAN server(also on the same subnet).

I've also added a static route on the LAN router to point to the vpn router(although it is not necessary as there is already default route) for traffic to the vpn client, but this also doesn't help.

Would really appreciate if someone here can enlighten me.

Thank You in advance...

Labels:
0 Helpful
12 Replies 12

sachinraja
Level 9
Level 9

‎01-12-2005 03:09 AM

hi yeoh,

As i can understand, you have 2 routers, one for terminating the vpn clients and the other having the internal lan .. am i right ? if you are able to connect to the VPN, but not able to ping the inside servers, there must be some problem in routing. check the following:

1) make sure there are routes for the IP pool on the server to reach the vpn connected IP.

2) make sure there is a route on the LAN router to reach the IP pool.

3) are there any internal firewallss on the servers which block the icmp access ?

please let us know..

Raj

0 Helpful

f.yeoh
Level 1
Level 1
In response to sachinraja

‎01-12-2005 06:02 AM

Hi Raj

Thanks for your quick respond...

Yes, u're right. the client connect to the vpn router from the Internet. There is a LAN router connected on the same subnet as the vpn router.

Ans to your questions.

1) The server's default gateway is the LAN router, and the LAN router has a default router to the vpn router where the vpn client is connected.

2) As above, the default route will take care of the router to reach the IP pool. I did also add a static route to "ensure", but it still doesn't work...

3) No, there isn't.. Its a basic single LAN segment. I can ping the server from the vpn router console.

Hope above can of some help...

0 Helpful

ehirsel
Level 6
Level 6

‎01-12-2005 04:34 AM

Aside from icmp, is your vpn client able to properly query dns and/or wins servers? What about using telnet or other services (web, ftp)? Are you able to try access methods successfully that do not rely on icmp?

The reason I ask is that the vpn client may be configured to not reply or forward icmp requests. There are one or 2 parameters in the vpnclient.ini relating to icmp and I do not know whether icmp is blocked by default or not (though I believe that it is with the newer vpn clients - 4.x and 4.6.x).

So if you already haven't done so, try methods other than ICMP to see if you can reach your servers.

Let me know what you find.

0 Helpful

f.yeoh
Level 1
Level 1
In response to ehirsel

‎01-12-2005 06:14 AM

Hi ehirsel

Thanks for your quick respond...

To answer your questions.

1) The vpn client was able to obtain the IP address, DNS and WINS server IP address. However, the client cannot reach these servers at all, be it ping or dns query.

2) Beside ping and dns, I also tried to telnet but without success. I very strange thing is I can't even telnet to the vpn gateway(inside interface) and the LAN router gateway(same subnet as the vpn gateway) although I can ping to both of them.

3) I'm using the same vpn client to logon to one of my Cisco 3015, and it works perfectly fine... I can explore the entire LAN(another network from a different site)

I am totally LOST...

Good Day to All...

0 Helpful

ehirsel
Level 6
Level 6
In response to f.yeoh

‎01-12-2005 07:03 AM

Please post the router config here. It will be of use for me to help you fix your issue.

Please run this test on a vpn client:

1. Run ipconfig /all and post the results here (including the dns connection suffix info)

2. Run nslookup in a command window. Try an unqualified name (server-x) and try a qualified name (server-x.org) and post those results here too.

0 Helpful

f.yeoh
Level 1
Level 1
In response to ehirsel

‎01-12-2005 07:41 AM

Hi ehirsel

Here comes the files...(confidential please)

Need to go home for my dinner. Its pass midnight now..

Hope you can help me... Thanks...

Have a nice day

Preview file
4 KB
0 Helpful

ehirsel
Level 6
Level 6
In response to f.yeoh

‎01-12-2005 07:12 PM

I believe that your issue lies with NAT. Specifically you do not bypass nat for VPN users, so what's happening is that the server address is xlated as it crosses your nat inside to your nat outside interface.

You need to adjust ip access-list extended CNT-NAT-List to bypass nat for vpn clients which can be identified from pool rspool - 10.135.207.200 10.135.207.220. To make the acl easier redefine your pool to something like 10.135.207.193 to 10.35.207.222 so that it can be referred to as 10.135.207.192/255.255.255.224.

So the 1st line in your cnt-nat-list can read as follows:

deny ip any 10.135.207.192 255.255.255.224

Let me know how this works.

0 Helpful

f.yeoh
Level 1
Level 1
In response to ehirsel

‎01-12-2005 11:09 PM

Hi ehirsel

Yes, it WORKS... after I added in

deny ip any 10.135.207.192 0.0.0.31

You're Wonderful.... Thank You so much...

However, another related problem still bugging me is the vpn client. I can't figure out why I can only use "IPSEC over UDP" to logon to my vpn router. When I tried to use "IPSEC over TCP", it always give me error(error screen attached).

I've added

permit ip any any

permit gre ...

permit tcp ...

permit esp ...

.... on the outside interface of my vpn router but still can't works. I even removed the whole "access-group" without any luck...

Have I miss out anything??

Preview file
30 KB
0 Helpful

sachinraja
Level 9
Level 9
In response to f.yeoh

‎01-12-2005 11:51 PM

Hi yeoh,

IOS does not support ipsec over tcp yet.

You can not run VPN over port 443 (SSL vpn) with a router either.

You should go for a 3k series concentrator or wait for newer version of IOS or PIX code.

Hope this helps.. rate replies if found useful..

Raj

0 Helpful

f.yeoh
Level 1
Level 1
In response to sachinraja

‎01-13-2005 05:46 AM

Hi Raj

Thanks again for your reply...

In that case, is it possible to predefine 1 or a range of UDP port number for the vpn client to use to logon...? to reduce security exposure..

My 3K is going to take around 6 weeks to reach me(SGP).

Have a nice day

0 Helpful

ehirsel
Level 6
Level 6
In response to f.yeoh

‎01-14-2005 08:53 AM

The IETF nat-t standard is to use port 4500. That is when using nat-t with IOS, the gateway will listen for connections only on one port: udp/4500. The client source port may be 4500 or it may be any port higher than 1023. UDP port 500 is still used for the initial IKE exchange before traffic traverses port 4500. I do not believe that using NAT-T with UDP introduces any more security risk that using native IKE or having nat-t using tcp.

Older versions of the cisco client used to specify a range of ports to be used for nat-t over udp and tcp as well, but I believe that the newer clients can only use one port setting - again this applies only to the destination port.

On the vpn 3000 series, you can use the IETF or a configurable ports for both udp and tcp, but you are better off just setting it to use only one port.

Let me know if this helps.

0 Helpful

f.yeoh
Level 1
Level 1
In response to sachinraja

‎01-13-2005 06:09 AM

Hi Raj

I'm trying to rate the messages, but did a few times but it is not reflect in the main Conversation page.

Please advise..

0 Helpful
Customers Also Viewed These Support Documents