cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
278
Views
0
Helpful
3
Replies

problem with new vpn clients on pix 515

yeo
Level 1
Level 1

I have several users on an old vpn client. 3.5.1. I know this is old but I have been unable to get the newer versions to connect to my PIX515. I am trying to use 3.5.4 and I am able to get the clients to connect but they can not talk to any thing on our network. For example:

I have 2 machines outside the network on the internet. Neither machine can ping any machine on the inside of our network. If I start up the 3.5.1 client I can ping and use outlook to get to our exchange server. If I start up the 3.5.4 client I can ping machines on the inside but can not use any applicaitons. ???

My configuation looks like this:

access-list 110 permit ip 65.167.124.128 255.255.255.128 192.168.110.0 255.255.255.0

access-list 100 permit ip 65.167.124.128 255.255.255.128 192.168.110.0 255.255.255.0

nat (inside) 0 access-list 100

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool vpnpool

vpngroup vpn3000 dns-server adc002

vpngroup vpn3000 split-tunnel 110

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

Any idea why this setup will work for older clients but not the newer ones.

Thanks,

Kevin

3 Replies 3

murabi
Level 4
Level 4

If you have double checked the configs on the vpn clients and they are the same, I would suggest capturing a sniffer trace on the line to see what is happening to the packets. You may want to contact the TAC if you need help reading the sniffer file.

scanady
Level 1
Level 1

I don't see a WINS or default domain entry here - is this something that you specifically wished to exclude? Could be a basic lookup issue.

vpngroup vpn3000 wins-server xx.xx.xx.xx

vpngroup vpn3000 default-domain ****.com

-src

This looks to be the culprit. I don't understand exactly how this would work for the older clients but not the new ones. As soon as I added the commadn it worked like a charm. Thanks

Kevin