I am having problems with my Cisco VPN setup. I can get some users working fine, and into remote desktop. Others can connect to the firewall, but cannot connect to Remote Desktop. They cannot ping the server (192.168.0.2) either. I can ping the server on the machines that can connect to Remote Desktop.
One problem i am having, is that in one office, one computer can connect fine. But after a few minutes, that machine can no longer connect to the server or ping it. The cisco vpn stays connected though.
I have the security level set to 2 (default) on each user.
1st I would check to see if the local computer is running windows firewall. If it is running i would disable it. i would then check to see if remote desktop is enabled. If it is enabled i would check to see who has access to run remote desktop. you might want to create a security group called remote desktop and place only the people you want to have access. Hope this helps. Also what OS is running on the server and on the desktops.
The server is a Windows 2000 server. The clients all have Windows XP Pro. I have had all of the clients on the server before we installed the new PIX Firewall. I am just confused on why some people can get in, and some cant. It may be something on their router/firewall (likely a linksys or the like) that is not allowing the connection. I dont know though, becuase nothing has changed on the client side. I have just set up the PIX for VPN, and some work, and some dont. All of the users are part of the same vpn group.
Please let me know if you have any more suggestions.
The problem could well be that your router at the user site does not know who the VPN protocols should belong to as it cannot differentiate between different users. i.e. the IPSec protocols do not use ports and therefore cannot be mapped to an internal user.
If you have recent PIX or IOS software acting as the VPN endpoint and the users have one of the latest VPN Client releases then you could have a look at using Nat Traversal on your concentrator device. This will use UDP encapsulation for the IPSec traffic and the site router will know who the packets belong to.
A PIX uses 'isakmp nat-traversal 20' to do this
and an IOS device later than 12.2(13)T will do it automatically, if not try 'crypto ipsec nat-transparency udp-encapsulation' to enable it.
You will need to make sure UDP 4500 is open in both directions too.
Almost, but the line 'crypto ipsec nat-transparency udp-encapsulation' is only an option for an IOS router as I didn't know what device you were using so you don't want it for the PIX.
You shouldn't need this line either as the PIX is the device that needs to receive the UDP 4500 traffic. : 'static (inside2,outside) udp 4500 4500 netmask
255.255.255.255 0 0'
If access-list is the ACL controlling your inbound traffic from the Internet then your line below should be ok.
If the PIX is the VPN termination point, then only the first line, isakmp nat-traversal 20 is needed.
If you are trying to make a connection through a PIX to a VPN termination point that is internal, then if that server has a public IP that is not shared with any other machine:
: pptp, if that's what the internal server is handling access-list 110 permit gre any host ServerPublicIP access-list 110 permit udp any host ServerPublicIP eq 1723 : l2tp, if that's what the internal server is handling access-list 110 permit udp any host ServerPublicIP eq 1701
If the internal server is handling IPSec:
: ipsec, AH enabled and ServerPublicIP is the same as ServerPrivateIP access-list 110 permit udp any host ServerPublicIP eq 500 access-list 110 permit esp any host ServerPublicIP access-list 110 permit ah any host ServerPublicIP
OR
: ipsec, AH not enabled. ServerPublicIP does not need to be the same : as ServerPrivateIP access-list 110 permit udp any host ServerPublicIP eq 500 access-list 110 permit esp any host ServerPublicIP
OR
: ipsec. AH can be enabled or not. ServerPublicIP does not need to be : the same as ServerPrivateIP isakmp nat-traversal 20 access-list 110 permit udp any host ServerPublicIP eq 500 access-list 110 permit udp any host ServerPublicIP eq 4500
It does not hurt to combine these IPSec cases, into:
isakmp nat-traversal 20 access-list 110 permit udp any host ServerPublicIP eq 500 access-list 110 permit udp any host ServerPublicIP eq 4500 access-list 110 permit esp any host ServerPublicIP access-list 110 permit ah any host ServerPublicIP
If you are trying to make a connection through a PIX to a VPN termination point that is internal, and if that server has a public IP that is shared with any other machine, such as the outside interface of the PIX, you set things up differently. The below is written assuming that you are using the public IP of the PIX itself.
If you are using a different public IP for the server, but still shared with other machines, then in each 'static' command, for the word 'interface', substitute the public IP, and in each acl entry, in place of 'interface outside', substitute 'host' followed by the shared public IP:
(Note: PIX 6.x syntax; the port forwarding might be different in 7.0)
: if pptp is what the internal server handles static (inside, outside) udp interface 1723 ServerPrivateIP 1723 netmask
: if l2tp is what the internal server handles static (inside,outside) udp interface 1701 ServerPrivateIP 1701 access-list 110 permit udp any interface outside eq 1701
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.