12-14-2001 05:03 PM - edited 02-21-2020 11:32 AM
What do I need to do to get the Cisco VPN Client 3.x to show computers in the remote network neighborhood?
I'm testing it on a Win 98 PC, but need it to work on Win 95, NT, 2000, and XP.
12-15-2001 09:15 AM
For starters make sure "File and Print Sharing" and "Client for MS Networks" is tunred on. hmmmm......seems like thats my answer for everything...go figure
12-18-2001 10:46 AM
File and Printer Sharing is turned on. Client for MS Networks is installed as well, but I still cannot browse the Network Neighborhood. On the PIX, I have:
access-list 101 permit ip 199.0.0.0 255.255.0.0 10.0.252.0 255.255.255.0
Do I also need to permit some UDP ports?
12-18-2001 11:08 AM
On the Windows98 PC are you logging onto the Domain?
12-19-2001 08:31 AM
I was, but now I'm getting "no domain controller was available".
Below is my PIX config:
nj-pix1a(config)# wr t
Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 private security10
enable password 8TtHic.igNQfxtlP encrypted
passwd 8A8GWRAN7wD/EokS encrypted
hostname nj-pix1a
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 20-21
no names
access-list 101 permit ip 199.0.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 199.0.0.0 255.255.0.0 192.100.101.0 255.255.255.0
access-list 101 permit ip 199.0.0.0 255.255.0.0 10.0.254.0 255.255.255.0
access-list 101 permit ip 199.0.0.0 255.255.0.0 10.0.253.0 255.255.255.0
access-list 201 permit ip 199.0.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list 301 permit ip 199.0.0.0 255.255.0.0 192.100.101.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered emergencies
logging trap emergencies
logging history emergencies
logging host inside 199.0.8.6
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 10baset
interface ethernet3 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu private 1500
ip address outside 63.174.66.3 255.255.255.0
ip address inside 199.0.0.30 255.255.255.0
ip address dmz 199.0.1.1 255.255.255.0
ip address private 199.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptppool 10.0.253.1-10.0.253.254
ip local pool ipsecpool 10.0.254.1-10.0.254.254
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 63.174.66.4
failover ip address inside 199.0.0.31
failover ip address dmz 199.0.1.2
failover ip address private 199.1.1.2
failover link private
pdm history enable
arp timeout 14400
global (outside) 1 63.174.66.5 netmask 255.255.255.0
global (dmz) 1 199.0.1.5 netmask 255.255.255.255
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 199.0.1.0 255.255.255.0 0 0
static (dmz,outside) 63.174.66.10 199.0.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 63.174.66.20 199.0.0.197 netmask 255.255.255.255 0 0
static (inside,outside) 63.174.66.123 199.0.0.123 netmask 255.255.255.255 0 0
static (inside,outside) 63.174.66.16 199.0.0.16 netmask 255.255.255.255 0 0
static (inside,outside) 63.174.66.228 199.0.8.228 netmask 255.255.255.255 0 0
static (inside,outside) 63.174.66.252 199.0.8.252 netmask 255.255.255.255 0 0
static (inside,dmz) 199.0.0.0 199.0.0.0 netmask 255.255.255.0 0 0
static (inside,outside) 63.174.66.127 199.0.0.127 netmask 255.255.255.255 0 0
static (inside,outside) 63.174.66.113 199.0.0.113 netmask 255.255.255.255 0 0
static (inside,outside) 63.174.66.231 199.0.0.231 netmask 255.255.255.255 0 0
static (inside,outside) 63.174.66.66 199.0.0.66 netmask 255.255.255.255 0 0
static (inside,outside) 63.174.66.142 199.0.0.142 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 63.174.66.10 eq www any
conduit permit tcp host 63.174.66.20 eq smtp any
conduit permit tcp host 63.174.66.20 eq 135 any
conduit permit tcp host 63.174.66.20 eq 1225 any
conduit permit tcp host 63.174.66.20 eq 1226 any
conduit permit tcp host 63.174.66.20 eq www any
conduit permit udp host 63.174.66.5 eq isakmp any eq isakmp
conduit permit tcp host 63.174.66.5 eq 256 any eq 500
conduit permit esp host 63.174.66.16 any
conduit permit ah host 63.174.66.16 any
conduit permit udp host 63.174.66.16 any
conduit permit tcp host 63.174.66.228 eq 3398 any
conduit permit tcp host 63.174.66.228 range ftp-data ftp any
conduit permit ip host 63.174.66.254 any
conduit permit ip host 63.174.66.252 any
conduit permit tcp host 63.174.66.123 eq 256 any
conduit permit udp host 63.174.66.123 eq isakmp any
conduit permit esp host 63.174.66.123 any
conduit permit ah host 63.174.66.123 any
conduit permit tcp host 199.0.0.197 eq smtp any
conduit permit tcp host 63.174.66.127 eq 1723 any
conduit permit tcp host 63.174.66.113 eq 1723 any
conduit permit gre host 63.174.66.113 any
conduit permit tcp host 63.174.66.231 eq 1723 any
conduit permit gre host 63.174.66.231 any
conduit permit tcp host 63.174.66.66 eq 1723 any
conduit permit gre host 63.174.66.66 any
conduit permit tcp host 63.174.66.142 eq 1723 any
conduit permit gre host 63.174.66.142 any
conduit permit tcp host 63.174.66.123 eq 1723 any
conduit permit gre host 63.174.66.123 any
route outside 0.0.0.0 0.0.0.0 63.174.66.128 1
route outside 192.168.2.0 255.255.255.0 65.101.39.169 1
route inside 199.0.0.0 255.255.0.0 199.0.0.40 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host inside 199.0.8.6
snmp-server location DUR-NJ-US
snmp-server contact Mario Benitez
snmp-server community TUMI-US
snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 10 ipsec-isakmp
crypto map dyn-map 10 match address 201
crypto map dyn-map 10 set peer 65.101.39.169
crypto map dyn-map 10 set transform-set myset
crypto map dyn-map 11 ipsec-isakmp
crypto map dyn-map 11 match address 301
crypto map dyn-map 11 set peer 139.4.21.81
crypto map dyn-map 11 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map client configuration address initiate
crypto map dyn-map client configuration address respond
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 65.101.39.169 netmask 255.255.255.255
isakmp key ******** address 139.4.21.81 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local ipsecpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup test address-pool ipsecpool
vpngroup test dns-server 199.0.0.127
vpngroup test wins-server 199.0.0.127
vpngroup test default-domain tumi.com
vpngroup test idle-time 1800
vpngroup test password ********
telnet 199.0.0.127 255.255.255.255 inside
telnet 199.0.8.6 255.255.255.255 inside
telnet 199.0.8.41 255.255.255.255 inside
telnet 199.0.0.40 255.255.255.255 inside
telnet 199.0.0.127 255.255.255.255 dmz
telnet 199.0.8.6 255.255.255.255 dmz
telnet 199.0.8.41 255.255.255.255 dmz
telnet 199.0.0.40 255.255.255.255 dmz
telnet 199.0.0.40 255.255.255.255 private
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptppool
vpdn group 1 client configuration wins 199.0.8.3 199.0.0.127
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username MARK password MARK
vpdn username TUMI\PPTPTest password PPTP
vpdn username TUMI_GERMANY\PPTPTest password PPTP
vpdn username GCS-NASHUA password condor
vpdn username TUMI\MARK password MARK
vpdn username SLW\SLW-VPN-PPTP password SLW-VPN-PPTP
vpdn username TUMI-VPN password charliec
vpdn username TUMI\TUMI-VPN password charliec
vpdn enable outside
terminal width 150
Cryptochecksum:50b02a3186e73bb06a100c2f8ce46122
: end
[OK]
Note: I am also trying to support Cisco Secure VPN client 1.1 until we get the new VPN client working.
12-20-2001 08:31 AM
I have the VPN client working (at least on Win98) and browsing the Network Neighborhood. I think the key to browsing the Network Neighborhood is to release the IP address bound to network adapters in the remote PC. In Win 98, there is a registry hack that does this; not sure on Win95, Win2k, or XP. Since I'm not exactly sure what statements are needed in the PIX config, I'm not posting it now. As soon as I figure out which ones are not needed, I'll post a copy of my config.
01-03-2002 12:27 AM
Hi,
Are you able to ping your WINS server throught the VPN connection?
Regards,
Ron
04-08-2002 01:16 PM
Your PIX is configured for PPTP. You have listed your outside and inside IPs. Your network topology would not be hard to figure out. You have also listed your PPTP usernames and passwords.
When posting to the Internet, always mask your real IPs and all passwords.
I would consider these passwords comprimied, and change them immediately.
04-11-2002 04:41 AM
Thank you for telling me.
12-28-2001 05:35 AM
hmm... if i recall correctly, i had to allow udp ports 137, 138 and 139 on my pix some time ago...to make this work...
Not too sure now, since its been some time since i've worked on this part.
01-03-2002 05:36 AM
Since Network neighbourhood uses, netbios broadcast for name resolution and locating the computers within its reach, you may need to allow this protocol. Remember the master browser stuff and all that.
Try allowing netbios protocols by allowing protocols 137, 138 and 139 as the last post said.
0.02 Cent
Oletu
01-03-2002 10:23 AM
Also make sure your have "Client for MS Networks" and "File and Print Sharing" on
01-04-2002 12:01 PM
I have succeeded in getting the VPN client to work on Win95, Win98, and XP; haven't tried on Win2k yet, don't expect any problems.
To browse the network, the VPN client must be able to route to the PDC (domain master browser); I had a routing issue preventing that at first; once I fixed that, browsing was not a problem.
I did not set up any new conduits for UDP ports (see my previously posted config) so I don't think they are necessary. Perhaps this is because I have a WINS server on the segment that the VPN client connects to. My PDC is also a WINS server.
There are a few kinks to getting the VPN client to work that Cisco doesn't mention in their documentation. I already mentioned the Win 95/98 registry hack to release DHCP leases at shutdown. On XP, you must set the DUN entry for use by anyone or you can't select it in the VPN client. To browse the network, you must manually enable Client for MS Networks. You also have to go into the Internet Protocol (TCP/IP) advanced properties and enable NetBios over TCP. The default settings on these two are off. It would be nice if Cisco would include this info in their documentation (hint, hint).
04-08-2002 11:33 AM
Hi,
Quick question. By enabling these ports would that make you more susceptible to DOS attacks?
Gene
01-16-2002 10:39 PM
We run a pure TCP/IP network, do not have any MS BIOS protocal running, do not have any of the ports open that have been posted in this mail list (I would not open them for security reason).
We use a CISCO VPN 3005 w/triple-des. If you contact me directly I would be more than happy to share some of our setup.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide