Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1146
Views
11
Helpful
7
Replies

Cisco VPN client & ISDN

Go to solution
r-lemaster
Level 1
Level 1

‎02-15-2005 02:27 PM

Hi there,

My friend has a 1604 router and is trying to access his corp VPN using the Cisco 3000 VPN client v 3.6.3.

He was previously using an ISDN card on a gateway PC (instead of the 1604) and the VPN client worked fine. He has not made any changes to the VPN client settings, and no changes have been made on the upstream VPN concentrator.

The 1604 is now working great for ISDN, but he can't connect to the corp VPN using the VPN client. Regular non-VPN traffic has no problems.

When he tries to connect to to the corp VPN, his VPN client says;

"initializing connection

initializing tcp to ..IP/Port ..

initializing tcp to ..IP/Port (backup)

failed to establish tcp connection."

I disabled the IOS firewall (CBAC) and that didn't work. I'm thinking that maybe one of the ACLs on the Dialer map-class is interfering with the VPN setup. Here are the ACLs:

map-class dialer DialClass

access-list 18 permit 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit udp any any eq bootps

access-list 101 deny ip any any

access-list 121 permit icmp any any administratively-prohibited

access-list 121 permit icmp any any echo

access-list 121 permit icmp any any echo-reply

access-list 121 permit icmp any any packet-too-big

access-list 121 permit icmp any any time-exceeded

access-list 121 permit icmp any any traceroute

access-list 121 permit icmp any any unreachable

access-list 121 deny ip any any

dialer-list 1 protocol ip permit

Anyone got any ideas why his VPN client can't connect?

Thanks for your time.

Full config attached.

Labels:
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
r-lemaster
Level 1
Level 1
In response to Josef Oduwo

‎02-18-2005 05:53 PM

Thanks Josef, we'll give it a shot and report back.

View solution in original post

7 Replies 7

Go to solution
dbellaze
Level 4
Level 4

‎02-17-2005 07:36 AM

One of the possible issues here could be NAT/PAt. Is the VPN Client and the Upstream VPN Concentrator configured for NAT-T? If not this could be your problem. You will either have to enable NAT-T or do some static NAT translations for the IPSec ports on the router for the workstation with the VPN Client.

There should be a log window you can enable on the VPN Client that could provide some info, and there should be a log on the VPN Concentrator.

Here is a link on configuring NAT-T on the client.

http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/3_6/admin_gd/vcach1.htm#wp1172854

Here is a link for NAT-T on the Cisco 3000 Series Concentrator.

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/config/tunnel.htm#1029463

Daniel

Go to solution
r-lemaster
Level 1
Level 1
In response to dbellaze

‎02-17-2005 10:03 AM

Thanks Daniel, but he was using NAT before with the VPN client behind a gateway PC with a ISDN modem, so I don't think that's it.

I appreciate your time though.

0 Helpful

Go to solution
Josef Oduwo
Level 7
Level 7
In response to r-lemaster

‎02-17-2005 09:08 PM

Shouldn't your dialer-list 1 protocol ip permit (last line) read dialer-list 1 protocol ip permit [relevantaccesslist number] instead? Otherwise it is not associated with any access list - i.e. the three different access lists (18, 101 and 121) do not apply, which means your connectivity problem will not be an ACL issue...

Try re-installing the client, or better still, upgrading the client, I think we are up to version 4.6.x now. Just remember to copy the .pcf file that has the settings before doing anything and place it back in the "profiles" folder when you are done.

Good luck,

Josef.

Go to solution
r-lemaster
Level 1
Level 1
In response to Josef Oduwo

‎02-18-2005 05:53 PM

Thanks Josef, we'll give it a shot and report back.

Go to solution
r-lemaster
Level 1
Level 1
In response to Josef Oduwo

‎02-18-2005 06:42 PM

Thanks for pointing out that the ACLs weren't applied.

I disabled CBAC and reloaded and now his VPN client works. I didn't think you had to reload for changes to take place, but live and learn.

I'm still fussing with it a bit, but I think it was CBAC. Now, I've got to find which CBAC rules denied IPSec traffic through to his VPN client.

Thanks for your help!

0 Helpful

Go to solution
r-lemaster
Level 1
Level 1
In response to r-lemaster

‎02-19-2005 12:58 AM

Could you direct me to a resource or link that will help me configure CBAC to allow a VPN client behind it to connect? I can't find this on CCO.

0 Helpful

Go to solution
r-lemaster
Level 1
Level 1
In response to r-lemaster

‎02-19-2005 12:59 AM

Could you direct me to a resource or link that will help me configure CBAC to allow a VPN soft client behind it to connect? I can't find this on CCO.

0 Helpful
Customers Also Viewed These Support Documents