Re: Remote Cisco VPN clients doing VPN

vincent-n · ‎02-14-2005

Hi all

I've setup Cisco remote VPN clients to be able to connect to the corporate network and I think that this is working fine. I however found that I was not able to connect to the remote clients from the corporate internal network. I suspected that this is because of the personal firewall that came with the Cisco VPN client software. I'm currently using version 4.6.01 Cisco VPN client. Things that I would like to do like remote desktop, network drive mappings etc. to VPN clients. Thanks in advance for your comments.

sachinraja · ‎02-16-2005

hey vincent,

are there any firewalls between ur PCs and ur external VPN server ? If so, you need to open some ports on the firewall.. UDP 4500, IP 50&51, UDP 500. try opening these and let us know..

Raj

vincent-n · ‎02-16-2005

There are no firewalls between my VPN client and my firewall. My VPN clients connect directly to my fw. I'm familiar with TCP 50&51, UDP 500 but have no idea what uses UDP 4500. Is it ipsec-nat-traversal?

iwaforest · ‎12-12-2006

Did you solve this problem? I would like to know your solution if you did, since I want to do the exact same thing (Remote Desktop or VNC to clients, map drives back to them. Mostly for support).

thanks

5220 · ‎01-03-2007

I am not sure what VPN device you are using.

If it is a PIX, then you need to add a NAT 0 access-list to allow non-translated access between corportate network and remote access subnet.

access-list nat_0 permit ip

nat (inside) 0 nat_0

If it is a 3000 series, disable the Client Firewall settings for the group and make sure you have no firewall on the Group's "General" tab, that will prevent the traffic.

If this helps, please rate.

Daniel

iwaforest · ‎02-01-2007

Thanks for the information.

It is a PIX 515 Firewall, and I do have the nat(inside 0) statement in place, and with access lists that allows all ip traffic between the two networks.

Any other ideas?

ggilbert · ‎02-01-2007

Can you make sure "Stateful Firewall" is not turned off on the VPN clients side.

Also, if they windows firewall - please turn that off as well.

Let me know.

Gilbert

iwaforest · ‎02-02-2007

Thanks for your help. After a bit of port scanning, I found that an appropriate port had not been opened on the inside interface, so the traffic couldn't come through.

Thanks for everyone's help.

acomiskey · ‎02-01-2007

Wow, brought this post back from the dead.

Really too many variables here, probably better off posting sanitized config.

vincent-n · ‎02-01-2007

Wow it is, this post was brought back from the dead. Since then, I found so many issues that I came across with Cisco VPN client. One the hardest I find is to do with the MTU size set on the client's PC and the ISP and it has nothing to do with firewal.

I came across Clients got connected to VPN no problem at all but from the client, you cannot ping or run any application that requires corporate's resources (eg Outlook, network drives). To fix the problem, this is what I do:

A. Play around with the MTU size inside "Set MTU" -> Cisco VPN Client -> Set MTU. In some case, things work with 1300 and at some other premises, only work if MTU is set to default.

B. If A does not work, log on to the home's router and set the MTU there. Make sure that it matches up with the MTU set on the client's PC.

Thanks averyone again for replies to my post. I'm sorry that I cannot remember what I did to fix the problem but I'm pretty certain that I fixed it by going through step A & B.

ajones · ‎03-01-2007

What are MTUs? I'm a newbie to the cisco pix and I'm having the same problem. my setup is as follows:

vpn client>pix>isa server>exchange server, WS

Any help would be great.

iwaforest · ‎03-01-2007

Maximum Transmission Unit.

The size of the IP Packet.

http://en.wikipedia.org/wiki/Maximum_transmission_unit