• Advertisement

Problem with VPN Client

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.

Problem with VPN Client

Postby Guest » Sat May 09, 2009 10:16 am


Hello everyone

Please give me some help with the following.

I'm trying to connect with a VPN Client which is behind a Checkpoint F/W to a CiscoPIX 515. Although the connection is established i cannot access the internal network behind the PIX. I configured NAT-T in PIX 515 and open the appropriate tcp/udp ports (500,4500,10000) in chekpoint but i get the following error in the log file of the VPN Client:

Cisco Systems VPN Client Version 5.0.00.0340

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

 

45     16:15:56.593  11/27/07  Sev=Warning/2      CVPND/0xA3400011

Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: 0xC0A8003B (DRVIFACE:1201).

 

46     16:15:59.312  11/27/07  Sev=Warning/2      CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

 

47     16:15:59.312  11/27/07  Sev=Warning/2      CM/0xA3100025

Unable to delete route. Network: c0a800ff, Netmask: ffffffff, Interface: a000096, Gateway: c0a8003b.

 

48     16:15:59.312  11/27/07  Sev=Warning/2      CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

 

49     16:15:59.312  11/27/07  Sev=Warning/2      CM/0xA3100025

Unable to delete route. Network: c0a80000, Netmask: ffffff00, Interface: a000096, Gateway: c0a8003b.

Guest
 

Advertisement

Re:Problem with VPN Client

Postby Guest » Sat May 09, 2009 11:05 am


please post your PIX config, most probably it is a tunneling issue

Guest
 

Re:Problem with VPN Client

Postby Guest » Sat May 09, 2009 11:13 am


Thank you for the reply. Please find attached the PIX config file.

 

Guest
 

Re:Problem with VPN Client

Postby Guest » Sat May 09, 2009 12:05 pm


add the following in respective order

global (outside) 1 interface

object-group network Clients

network-object 172.16.2.1 255.255.255.255

network-object 172.16.2.2 255.255.255.255

network-object 172.16.2.3 255.255.255.255

network-object 172.16.2.4 255.255.255.255

network-object 172.16.2.5 255.255.255.255

network-object 172.16.2.6 255.255.255.255

network-object 172.16.2.7 255.255.255.255

network-object 172.16.2.8 255.255.255.255

network-object 172.16.2.9 255.255.255.255

network-object 172.16.2.10 255.255.255.255

network-object 172.16.2.11 255.255.255.255

network-object 172.16.2.12 255.255.255.255

network-object 172.16.2.13 255.255.255.255

network-object 172.16.2.14 255.255.255.255

network-object 172.16.2.15 255.255.255.255

network-object 172.16.2.16 255.255.255.255

network-object 172.16.2.17 255.255.255.255

network-object 172.16.2.18 255.255.255.255

network-object 172.16.2.19 255.255.255.255

network-object 172.16.2.20 255.255.255.255

network-object 172.16.2.21 255.255.255.255

q

access-list no_nat permit ip 10.0.0.0 255.255.255.0  object-group Clients

After that, client will be able to reach inside network, but they will lose their local connectivity. To avoid this, add the following

access-list split_T permit ip 10.0.0.0 255.255.255.0 object-group Clients

vpngroup nikas split-tunnel split_T

vpngroup nikas1 split-tunnel split_T

vpngroup nikas2 split-tunnel split_T

vpngroup nikas3 split-tunnel split_T

vpngroup nikas4 split-tunnel split_T

vpngroup nikas5 split-tunnel split_T

vpngroup nikas6 split-tunnel split_T

vpngroup nikas7 split-tunnel split_T

vpngroup nikas8 split-tunnel split_T

vpngroup nikas9 split-tunnel split_T

vpngroup nikas10 split-tunnel split_T

vpngroup nikas11 split-tunnel split_T

vpngroup nikas12 split-tunnel split_T

vpngroup nikas13 split-tunnel split_T

vpngroup nikas14 split-tunnel split_T

vpngroup nikas15 split-tunnel split_T

vpngroup nikas16 split-tunnel split_T

vpngroup nikas17 split-tunnel split_T

vpngroup nikas18 split-tunnel split_T

vpngroup nikas19 split-tunnel split_T

Guest
 



  • Advertisement


Similar topics


Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 1 guest