Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
5
Helpful
2
Replies

VPN Client 4.6.02.0011 connects successful but does not receive any Bytes

richard.bahcic
Level 1
Level 1

‎12-18-2005 05:39 AM - edited ‎02-21-2020 02:09 PM

Hello experts,

My notebook with the VPN-Client connects successfully to the Easy VPN Server, a PIX Firewall 501.

But that is all. I cannot connect to any host behind the firewall. I have to start a Terminal services client and logon to the local Domain behind the firewall.

I carefully examined the example in Chapter 8 of the PIX manual "Managing VPN Remote Access".

And those are the differences:

1. In the manual there is an Access-List defined

access-list in_out_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0

(192.168.2.0 255.255.255.0 is the network address of the inside interface and 192.168.20.x is the address-room the vpn-client gets).

I do not have such an access-list definition, but a very similar one:

access-list outside_cryptomap_dyn_20 permit ip any 192.168.20.0 255.255.255.0

And this access-list is attached to a dynamic crypto-map via ...

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

... and the dynamic map is attached to a static map via ...

crypto map outside_map 65535 ipsek-isakmp dynamic outside_dyn_map

I think that the effect of the access-list-definition is the same as this of the manuals example?

2. I only have ONE nat statement:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

But in the manual there is another statement:

nat (inside) 0 access-list in_out_nat0_acl

Is this statement the lacking one?

3. I do not have a ...

isakmp key <VPN-Client-Password>

... but i have the following statement:

vpngroup VPN_Group_Name password <VPN-Client-Password>

.. and i think, this is the same, isn't it?

4. I do not have the following three statements:

vpngroup VPN_Group_Name dns-server

vpngroup VPN_Group_Name wins-server

vpngroup VPN_Group_Name default domain

... because i want the VPN Client to connect the Internet in parallel to the VPN Client at the remote site.

Therefore i defined an

access-list splitTunnelACL permit ip 192.168.2.0 255.255.255.0 any

and attached it via ...

vpngroup VPN_Group_Name split-tunnel splitTunnelACL

----------

No when i open the statistics screen after being connected via VPN Client and after calling the MS Terminalservices Client and trying to connect to 192.168.2.5, i see

Received Bytes: 0

Sent Bytes: 1406

Local LAN: Disabled ????

And the "Rote Details" page shows NO Local LAN Routes but the one Secured route 192.168.2.0 255.255.255.0

And the VPN -Adapter has no default gateway, but the local LAN of the notebook still has the local default gateway (192.168.80.1 at the moment)

Can anyone out there tell me, what is wrong here?

TIA,

Richard

Labels:
0 Helpful
2 Replies 2

aacole
Level 5
Level 5

‎12-20-2005 01:32 PM

Hi Richard,

Lookng at your posting I see one problem, the lack of a NAT 0 statement.

This entry is used to exclude the packets from your internal network back to the client from the NAT process. In your case these packets are being natted and passed out to the Internet not back down the tunnel. This why the client stats show 0 received bytes.

So, what is the address pool range you have defined?

Its this range that needs to go in the NAT 0 ACL.

access-list NAT0-ACL permit ip any

nat (inside) 0 access-list NAT0-ACL

Hope this helps,

Andy

richard.bahcic
Level 1
Level 1
In response to aacole

‎12-21-2005 03:09 AM

YES IT HELPED !!!!!!!!!!!!!!

I thank you so much for your help.

The problem is solved!!!!

Thank you again!!!!!

Yours truly,

Richard

0 Helpful
Customers Also Viewed These Support Documents