Solved: Re: VPN Users cannot connect using application using port 3404

mdumont71469 · ‎08-23-2005

vpn users are connecting using vpn tunnel terminating at a pix 515e however they are unable to use the application connecting over port 3404. It used to work, or so I was told, but it doesn't work anymore. What am I doing wrong??? Please advise. Here is the config:

ip local pool dealer 192.168.0.3-192.168.0.5

ip local pool DYNAusers 192.168.1.2-192.168.1.20

ip local pool DYNAusers2 192.168.1.21-192.168.1.254

vpngroup PCPVPN01 address-pool DYNAusers

vpngroup PCPVPN01 wins-server 192.168.x.x

vpngroup PCPVPN01 split-tunnel DYNAsplit

vpngroup PCPVPN01 idle-time 1800

vpngroup PCPVPN01 password

vpngroup WELLVPN01 address-pool DYNAusers

vpngroup WELLVPN01 wins-server 192.168.x.x

vpngroup WELLVPN01 split-tunnel DYNAsplit

vpngroup WELLVPN01 idle-time 1800

vpngroup WELLVPN01 password

vpngroup SRVCVPN01 address-pool DYNAusers2

vpngroup SRVCVPN01 wins-server 192.168.x.x

vpngroup SRVCVPN01 split-tunnel DYNAsplit

vpngroup SRVCVPN01 idle-time 1800

vpngroup SRVCVPN01 password

access-list DYNAsplit permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.25

5.0

access-list DYNAsplit permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.25

5.0

access-list DYNAsplit permit ip host 209.42.50.82 192.168.1.0 255.255.255.0

access-list DYNAsplit permit ip any 192.168.0.0 255.255.255.0

access-list DYNAacl 60 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set DYNAset esp-3des esp-md5-hmac

crypto ipsec transform-set To_NHP esp-3des esp-sha-hmac

crypto dynamic-map DYNAmap 30 set transform-set DYNAset

crypto map VPNtunnels 30 ipsec-isakmp dynamic DYNAmap

crypto map VPNtunnels 40 ipsec-isakmp

crypto map VPNtunnels 40 match address 150

crypto map VPNtunnels 40 set peer 70.151.5.114

crypto map VPNtunnels 40 set transform-set To_NHP

crypto map VPNtunnels 40 set security-association lifetime seconds 3600 kilobyte

s 4608000

crypto map VPNtunnels interface outside

crypto map partner-map 30 ipsec-isakmp

! Incomplete

isakmp enable outside

isakmp key address

netmask 255.255.255.255

isakmp nat-traversal 20

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

rating_is_vital · ‎09-01-2005

Hi,

It is good to learn that the issue has been resolved. Would you please rate the post?

View solution in original post

Go to solution · ‎08-29-2005

The inability to pass data is the result of a configuration with the same access control list (ACL) for both the nat 0 and the static crypto map for the LAN-to-LAN IPSec peer.

mdumont71469 · ‎08-29-2005

According to Cisco my configs are okay. While connected to the tunnel we can ping hosts on network 192.168.0.0 however we cannot ping the server that the application resides on.Or rather, from the firewall we can see that the server replies back but i am not getting the echo reply back from the vpn client (my laptop). This is really strange. HELP!!!!

jackko · ‎08-29-2005

i can't see the no nat bit, would you please upload the entire config.

u also mentioned that the server replies back. have you try to connect by a different pc? is the pc running any software firewall?

mdumont71469 · ‎09-01-2005

Your suggstion was definately on the right path. My access-list 10 which permits 10.0.0.0 network to the 192.168.0.0 had a line that permited 192.168.0.0 to any any; which access-list 10 was applied to the lan to lan config; was directing traffic to the lan to lan site. As soon as I took out that statement (acces-list 10 permit 192.168.0.0 any any) the problem was resolved.

THANK YOU!!!!!!

rating_is_vital · ‎09-01-2005

Hi,

It is good to learn that the issue has been resolved. Would you please rate the post?