Patrick,

Thanks for the tip. The "isakmp nat-traversal 20" command does not exist on the PIX. I did run the two clear commands: ipsec sa and isakmp sa. Can I please send you my config for some assistant and pointer.

Thanks,

Tou

What version of PIX OS are you using ?

Example config:

access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

aaa-server LOCAL protocol local

aaa authentication secure-http-client

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map REMOTE client authentication LOCAL

crypto map REMOTE interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ip local pool VPNPool x.y.z.1-x.y.z.254

vpngroup VPNGroup address-pool VPNPool

vpngroup VPNGroup dns-server dns2 dns1

vpngroup VPNGroup default-domain localdomain

vpngroup VPNGroup idle-time 1800

vpngroup VPNGroup password grouppassword

username vpnclient password vpnclient-password

Yes you can send me your config if you want on:

mailto:piseli@victrix.ca

sincerely

Patrick

Hello,

If your tunnel is up but unable to access resource even with the IP address, then most likely you are missing the following command -

sysopt connection permit-ipsec

Please, add this and this should take care of your problem. If NAT-T were needed, your tunnel wouldn't even come up.

Thanks,

Mynul

I do have that command in the config but it is still not working. Is it okay if I send my current config? My email is tvue@lsd.k12.mi.us if I can send it to you so that I can reply back with the config.

Tou

We are running ver. 6.2(2).

I got your mail! But I was to busy today to check your config in details. On the first view everything looks ok.

Could you please test your VPN Client with a dialup connection. Why? If everything works fine with a static public IP from the Internet then you have troubles with Transparent NAT.

I promise that I will check tomorrow the config.

sincerely

Patrick

Have you checked if the VPN Client is working with a fixed Public IP ?

Your Email server refuses to get my emails my message got back. So please provide your feedback in this forum.

sincerely

Patrick

For my testing, I am connecting from a public address. I have two attachment of my debug isakmp sa and ipsec sa. Please check it out to see if there is anything that is stopping my vpn connection from working.

See this post for another axplanation about given subnet masks and gateways for the VPN client.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd6841a

Have you tryed to to a traceroute (tracert) when the VPN client is connected.

sincerely

Patrick

Hey Patrick.

I tried with your new configuration for the different VPN pool addresses and it works great. I am able to connect to PIX and establish a IPsec VPN tunnel. From there I can ping any device on our network. I can connect to our servers via Remote Desktop. However I am unable to get to shared drives on my Win 2k servers. Does that mean I have to log off then log back on to the domain to get to the resoucess. If I log off would I lose my VPN session?

You have been soooo helpful. I think I am almost there just a little more tweaking. Just want to "Thank You" for all your help so far.

I glad that this worked.

;-)

Windows net shares are a little bit tricky. Don't forget that all browsing will not work and without a DNS for Active Directory or WINS foe Windows 2000 Domains, name resolution will not work.

A net use command with the right syntax should work !

example:

net use s: \\server2k\share /user:domainname\username

net use s: \\IP-Adress\share /user:domainname\username

syntax:

NET USE

[devicename | *] [\\computername\sharename[\volume] [password | *]]

[/USER:[domainname\]username]

[/USER:[dotted domain name\]username]

[/USER:[username@dotted domain name]

[/SMARTCARD]

[/SAVECRED]

[[/DELETE] | [/PERSISTENT:{YES | NO}]]

NET USE {devicename | *} [password | *] /HOME

NET USE [/PERSISTENT:{YES | NO}]

See also:

Configuring PIX to Allow Remote Access to Shared Folders on an NT Domain

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801ab781.shtml

Please mark that as solved issues so others will easyer find a solution to a similar problem.

sincerely

Patrick

Access to DMZ for the VPN Client !

access-list inside_outbound_nat0_acl permit ip any 10.189.250.96 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 10.189.250.96 255.255.255.224

is wide open the only way that this would be blocked id somewhere in your CONDUITS. Check that you permit access to 10.189.250.96 255.255.255.224.

sincerely

Patrick