Hi Kurtis Durrett

Thanks for your response.

I get connected, encryption 3DES

I can’t ping anything, nor IAS-Server or Cisco 827 Router while connected. I can ping Cisco 827 Router while not connected.

I am at home at the moment, local time: 20:26, so I am not able to post any "show crypto ipsec sa" before tomorrow.

Regards

Thomas Olsen

Warm and fuzzies. So are you getting encrypts at least on your client side?? Double click with your mouse on the connection icon it creates when you connect to bring up the stats for your session. Do you see packets being encrytped at least on your client when you ping?

I can't make any client connections from my current location. I will return tomorrow.

Regards

Thomas Olsen

Hi here is some "print out" from the VPN Client.

VPN Client version 3.5.3 (Rel)

Initializing the connection...

Contacting the gateway at 62.79.x.x...

Authenticating user...

Negotiating security policies...

Securing communication channel...

Your link is now secure...

Logging onto the network....

No domain server available to validate your password.

You may not be able to gain access to some network resources.

C:\>ping 62.79.x.x /t

Pinger 62.79.xx med 32 byte data:

Svar fra 62.79.x.x: byte=32 tid=34ms TTL=255

Svar fra 62.79.x.x: byte=32 tid=41ms TTL=255

Svar fra 62.79.x.x: byte=32 tid=34ms TTL=255

VPN Client Statistics:

Bytes in: 720

Bytes out: 11882

Packets decrypted: 12

Packets encrypted: 84

Packets bypased: 29

Packets discared: 27

Secured routes:

Netvork Subnet Mask Bytes

0.0.0.0 0.0.0.0 6840

62.79.x.x 255.255.255.255 1608

Local LAN routes:

Grayet out.

Regards

Thomas Olsen

So its looks like you are connecting, but you will to test by pinging your internal network of 192.168.1.0/24 and not the outside address.

Svar fra 62.79.x.x: byte=32 tid=34ms TTL=255

Svar fra 62.79.x.x: byte=32 tid=41ms TTL=255

Svar fra 62.79.x.x: byte=32 tid=34ms TTL=255

Try pinging your PDC. You are getting packets encrypted and decrypted:

Packets decrypted: 12

Packets encrypted: 84

which means you client is sending and receiving traffic from your destination network. Once we settle that you can/cannot ping the internal network, we can work on your real problem which is:

No domain server available to validate your password.

You may not be able to gain access to some network resources.

Which means you didnt log on to the domain and you will not be able to access your domain resources which is what your original problem was. Which was "not able to connect to any network resources on network ". If you settle that you can ping your PDC, then move on to logging onto the domain. If you are on XP,NT4 or WIN2k you will need to use start before login. So before you log on to your pc, you will need to bring up your vpn connection. Once thats established, you can then log on to your pc. This is the fix, you need to get logged on. There are several reasons why you cant, but one step at a time or you can call tac and get someone to walk you over the phone with it.

Kurtis Durrett

Hi Kurtis Durrett

I can't ping anything on network 192.168.1.0 thats the main problem.

Regards

Thomas Olsen

What we need to determine is which side the problem is on. When you ping 192.168.1.2, not the pix inside ip, does your encrypted packets on the client go up? Do you get decrypted packets on the pix? Issue a "show crypto ipsec sa" on the pix. If you are getting decrypted packets on the pix and the counter is going up as you ping, not in real time-reissue the command, then you have a nat or routing issue and we can focus on the pix side. If you aren't getting decrypted packets on the pix we can focus on the client side going from the pc-isp-pix and track the issue down. Some isp's out there actually block esp protocol, which is what ipsec uses to communicate, considering it a business service and a additional charge. Geez. Like I said though, if you getting decrypts on the pix we can eliminate all that and go straight to the pix side.

Kurtis

Hi Kurtis

I can't ping the internal network (192.168.1.0).

Take a look at this:

Senario:

Cisco VPN Client 3.5

|

|

|

Internet

|

|

|

Cisco 827 router. IP Inside: 62.79.93.x

|

|

Cisco PIX 501. IP Inside: 192.168.1.1 /24. IP Outside: 62.79.93.y

|

|

------- 192.168.1.0 -------- (I want VPN access to this network)

|

Windows 2000 Server, IAS (RADIUS), DC, WINS, DNS. IP: 192.168.1.2 /24

PIX configuration: (write terminal)

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname xxx

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_out permit icmp any any

access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 62.79.93.y 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 172.16.1.1-172.16.1.5

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 62.79.93.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server radius protocol radius

aaa-server sbs.sbs.local protocol radius

aaa-server sbs.sbs.local (inside) host 192.168.1.2 xxx timeout 5

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set super esp-3des esp-m

crypto dynamic-map dynmap 10 set transform-set

crypto map tiscali 10 ipsec-isakmp dynamic dynm

crypto map tiscali client configuration address

crypto map tiscali client authentication sbs.sb

crypto map tiscali interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server 212.54.64.170

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxx

Can you se anything wrong?

Regards

Thomas Olsen

Thomas,

The configuration looks fine other than some part of the config got chopped a little but probably just from the cut and paste.

Do a clear xlate, write mem, reload on the pix, reboot your microsoft server. Connect to the pix. Ping from the client to 192.168.1.2. Do a "show crypto ipsec sa" on the pix, post that information.

Kurtis Durrett