Problem with VPN Client

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Post Reply
Guest

Problem with VPN Client

Post by Guest » Sat May 09, 2009 10:16 am


Hello everyonePlease give me some help with the following.I'm trying to connect with a VPN Client which is behind a Checkpoint F/W to a CiscoPIX 515. Although the connection is established i cannot access the internal network behind the PIX. I configured NAT-T in PIX 515 and open the appropriate tcp/udp ports (500,4500,10000) in chekpoint but i get the following error in the log file of the VPN Client:Cisco Systems VPN Client Version 5.0.00.0340Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.Client Type(s): Windows, WinNTRunning on: 5.1.2600 Service Pack 2  45     16:15:56.593  11/27/07  Sev=Warning/2      CVPND/0xA3400011Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: 0xC0A8003B (DRVIFACE:1201).  46     16:15:59.312  11/27/07  Sev=Warning/2      CVPND/0xA3400015Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87  47     16:15:59.312  11/27/07  Sev=Warning/2      CM/0xA3100025Unable to delete route. Network: c0a800ff, Netmask: ffffffff, Interface: a000096, Gateway: c0a8003b.  48     16:15:59.312  11/27/07  Sev=Warning/2      CVPND/0xA3400015Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87  49     16:15:59.312  11/27/07  Sev=Warning/2      CM/0xA3100025Unable to delete route. Network: c0a80000, Netmask: ffffff00, Interface: a000096, Gateway: c0a8003b.

Guest

Re:Problem with VPN Client

Post by Guest » Sat May 09, 2009 11:05 am


please post your PIX config, most probably it is a tunneling issue

Guest

Re:Problem with VPN Client

Post by Guest » Sat May 09, 2009 11:13 am


Thank you for the reply. Please find attached the PIX config file.  

Guest

Re:Problem with VPN Client

Post by Guest » Sat May 09, 2009 12:05 pm


add the following in respective orderglobal (outside) 1 interfaceobject-group network Clientsnetwork-object 172.16.2.1 255.255.255.255network-object 172.16.2.2 255.255.255.255network-object 172.16.2.3 255.255.255.255network-object 172.16.2.4 255.255.255.255network-object 172.16.2.5 255.255.255.255network-object 172.16.2.6 255.255.255.255network-object 172.16.2.7 255.255.255.255network-object 172.16.2.8 255.255.255.255network-object 172.16.2.9 255.255.255.255network-object 172.16.2.10 255.255.255.255network-object 172.16.2.11 255.255.255.255network-object 172.16.2.12 255.255.255.255network-object 172.16.2.13 255.255.255.255network-object 172.16.2.14 255.255.255.255network-object 172.16.2.15 255.255.255.255network-object 172.16.2.16 255.255.255.255network-object 172.16.2.17 255.255.255.255network-object 172.16.2.18 255.255.255.255network-object 172.16.2.19 255.255.255.255network-object 172.16.2.20 255.255.255.255network-object 172.16.2.21 255.255.255.255qaccess-list no_nat permit ip 10.0.0.0 255.255.255.0  object-group ClientsAfter that, client will be able to reach inside network, but they will lose their local connectivity. To avoid this, add the followingaccess-list split_T permit ip 10.0.0.0 255.255.255.0 object-group Clientsvpngroup nikas split-tunnel split_Tvpngroup nikas1 split-tunnel split_Tvpngroup nikas2 split-tunnel split_Tvpngroup nikas3 split-tunnel split_Tvpngroup nikas4 split-tunnel split_Tvpngroup nikas5 split-tunnel split_Tvpngroup nikas6 split-tunnel split_Tvpngroup nikas7 split-tunnel split_Tvpngroup nikas8 split-tunnel split_Tvpngroup nikas9 split-tunnel split_Tvpngroup nikas10 split-tunnel split_Tvpngroup nikas11 split-tunnel split_Tvpngroup nikas12 split-tunnel split_Tvpngroup nikas13 split-tunnel split_Tvpngroup nikas14 split-tunnel split_Tvpngroup nikas15 split-tunnel split_Tvpngroup nikas16 split-tunnel split_Tvpngroup nikas17 split-tunnel split_Tvpngroup nikas18 split-tunnel split_Tvpngroup nikas19 split-tunnel split_T

Post Reply