I am not able to figure out why any of my remote users are not able to connect through the VPN client 4.6 when they are on other networks. If they are on the internet (AOL, MSN, etc...) there is no problem.
Any help?? I am a noob so speak slowly because I have to use the interface manager.
~noob~
Well some config files, logfiles, error files from both firewall and client and firewall software revision would help.
But if I understand you right, when your clients go to another network they can not access the VPN, but when they are internet they can?
The internet is another network so what is the difference between the sites they can connect from and the sites they can not connect from? Are these client sites? If so they may deny IPSEC out of their network for security purposes.
Well here is what I have for my configs and some more answers. I did change the IP's around cause I am paranoid. Thansk for the help btw
Yes, only when they do not have to go through someones network. I am not sure why they are able to connect with out any problems when they are going through earthlink, AOL or any of those.
Yes
I am not sure but all of them?
Result of firewall command: "show run" : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password /wCQ1ZtRjblYJ/E9 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname phillips domain-name phillipsmfg.com clock timezone CST -6 clock summer-time CDT recurring fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 101 deny 25 192.168.1.0 255.255.255.0 any access-list 101 permit 25 host 192.168.1.19 any access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.1.0
255.255.255.0 access-list 101 permit 25 host 192.168.1.24 any pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 64.199.228.130 255.255.255.248 ip address inside 192.168.1.253 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool PIXPOOL 192.168.1.211-192.168.1.230 pdm location 192.168.1.11 255.255.255.255 outside pdm location 192.168.1.5 255.255.255.255 inside pdm location 63.160.66.0 255.255.255.0 outside pdm location 192.168.1.0 255.255.255.0 outside pdm location 10.1.1.0 255.255.255.0 inside pdm location 192.168.2.0 255.255.255.0 inside pdm location 192.168.1.19 255.255.255.255 inside pdm location 192.168.1.24 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 64.199.228.129 1 route inside 10.1.1.0 255.255.255.0 192.168.1.50 1 route inside 192.168.2.0 255.255.255.0 192.168.1.50 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup PhillipsVPN address-pool PIXPOOL vpngroup PhillipsVPN default-domain PHILLIPSMFG.COM vpngroup PhillipsVPN split-tunnel 101 vpngroup PhillipsVPN idle-time 1800 vpngroup PhillipsVPN password ******** vpngroup Sales idle-time 1800 vpngroup Taftsystems address-pool PIXPOOL vpngroup Taftsystems default-domain PHILLIPSMFG.COM vpngroup Taftsystems split-tunnel 101 vpngroup Taftsystems idle-time 1800 vpngroup Taftsystems password ******** vpngroup batta address-pool PIXPOOL vpngroup batta default-domain PHILLIPSMFG.COM vpngroup batta idle-time 1800 vpngroup batta password ******** vpngroup Talley address-pool PIXPOOL vpngroup Talley default-domain PHILLIPSMFG.COM vpngroup Talley idle-time 1800 vpngroup Talley password ******** vpngroup Heneghan address-pool PIXPOOL vpngroup Heneghan default-domain PHILLIPSMFG.COM vpngroup Heneghan idle-time 1800 vpngroup Heneghan password ******** vpngroup lemerson address-pool PIXPOOL vpngroup lemerson default-domain phillipsmfg.com vpngroup lemerson idle-time 1800 vpngroup lemerson password ******** telnet timeout 5 ssh 63.160.66.0 255.255.255.0 outside ssh timeout 5 dhcpd address 192.168.1.211-192.168.1.230 inside dhcpd dns 192.168.1.19 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain Phillipsmfg.com dhcpd auto_config outside terminal width 80 Cryptochecksum:4c5f2a708ab99a840922ad3c0df978c7 : end
You come to any network I control and you will be lucky to even get an IP address. Let me ask you,
How bout when I come to your network and create a VPN tunnel, then my network is now exposed to yours and vice-versa.
Not sure, have you contacted them?
Their network, their rules...
I called and talked to the them, they said that IPSEC was allowed but will check to make sure that their "Internet Connection Sharing" was set correctly. I am thinking that this might be the problem.
I have also talked to a few more outside sales people. Seems that only some are having this problem at a few clients locations. I like how a few turns into everyone.
I was a noob once upon a time to.
One piece of advice I can give you is never give out your real addresses to any forum over the net. It provokes young kids in Denmark to want to hack or throw a DOS attack at you.
Steve
A general rule of thumb is if you enable any kind of admin access on an external interface you could be asking for trouble and heavily guard and monitor it. Especially now that everyone on the internet has the ip address they need to spoof to get access
ssh 63.160.66.0 255.255.255.0 outside
ok, now I feel like a twit. I am not sure why any one needs admin access from the external interface. How do I change it?
I thought I changed all of them. I REALLY am a noob. any help on this?
I thought I changed all of them. I REALLY am a noob. any help on this?
I hope I removed it but i think it might be a little to late..
How do I remove admin access from the outside interface?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.