VPN session wont get pass authtication?- help pls.

gmaccisco1 · ‎07-17-2006

Hi,

We have a contractor who is trying to get to his workplace using VPN from inside our network and having our private IP address assigned to him by our DHCP server.

he trys the connection but he doesn't get pass the authntication i.e. "Verfying usernaem/password' phase.

he is able to connect to his workplace from any other places but from inside our network. he mentioned somethiung about problem with Cisco PIX and Protocol 53 or MS VPN but wasn't able to tell me all about it. I have not heard about this myself.

his workplace VPN IP address has been added to our main PIX outside Interface and an ACL to allow any IP from iside to that outside IP address has also been created.

can someone please shed a light on this unkonwn to me issue?

Thx,

Masood

mpalardy · ‎07-17-2006

Hi Masood,

Pls check for the following:

-Syslog reporting denied access for ports udp/500, udp/4500 or tcp/10000 on the pix. (or other ports used by the VPN-client)

-Output from PC using DOS-CLI commands "ip config /all" and "route print"

-Any conflictual IP-range w/ remote network.

-Does the remote peer support NAT-T.

Mike

grant.maynard · ‎07-17-2006

I'm not sure but I think you're talking about Microsoft VPN client (PPTP). That uses TCP port 1723 and protocol number 47 (GRE).

For older PIX OS I think you may need to create a staic NAT for him (to map his IP to a public IP) and ACLs to allow MS VPN in and out of tyour network.

From 6.3.3 there is "fixup proto pptp" to make it work with PAT, so you don't need the static NAT.

aramos17428 · ‎11-30-2006

I was having the same problem and I tried the fixup protocol pptp 1723 command and MS VPN work like a charm, thanks

Running PIX ver 6.3.5

Armando

gmaccisco1 · ‎12-01-2006

This is the problem, I did the fixup after i upgraded to 6.3(5) but I was still having problem and still have.

Thx,

Masood