Announcement

Collapse
No announcement yet.

Cisco VPN Client - Need Your Help!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco VPN Client - Need Your Help!

    We have machines with the following configuration:

    Machine (A) Notebooks:
    Windows XP Professional SP2
    Java Client 6 update 4
    Java SE Developement Kit 6 Update 4
    Jboss Server
    SQL 2005 Server Developer Edition PS2
    Eclipes
    Microsoft Office 2003 Professional SP3
    Symantec Anitvirus Corp v10.1
    Google Talk
    DJ Java Decompiler

    Cisco VPN Client v5.0.02.0090
    Connect to a domain controller

    (I will add more as I find out)

    Machine (B) Desktops:
    Windows XP Professional SP2
    Java Client
    Microsoft Office 2003 Professional
    Symantec Anitvirus Corp v10.1
    Cisco VPN Client v5.0.02.0090
    Connect to a domain controller

    Cisco PIX Security Appliance Software Version 8.0(3)
    Device Manager Version 6.0(3)

    We have a FO/UR...

    Both the desktop and notebooks have not been locked down in anyway.

    The problem:

    When people from the Machine (A) group connect to the PIX either at the office or from their homes 70% of the time once they are connected they can't get past the PIX and onto the LAN; they use Microsoft's RDC and are unable to resolve the server names and or able to access the machines via their IP addresses. If they disconnect from the PIX and reconnect eventually they are able to access the LAN.

    When people from the Machine (B) group connect to the PIX at the office they can get access to the LAN using Microsoft RDC and the server name and IP addresses 98% of the time, when it does fails and they disconnect and reconnect they are able to get access to the LAN without any problems.

    At home I have a machine running Windows XP SP2 that I use for support, it's connected directly to a Linksys cable/dsl router, has the same Cisco client no antivirus any it's also able to connect 98% of them without any problems, same thing happens when I am not able to get past the PIX and onto the LAN, after I reconnect it works fine.

    So I am wonder if these it typical of Cisco's products and if we should be looking for a more solid VPN solution from another company?

    I had our Cisco guy who teaches Cisco courses at one of the local Collages look at the configuration again and he can't find anything wrong with it nor does he see any errors when I am or anyone else for that matter is connected but not able to access the LAN from the PIX side. He blames it on the machines, I believe him to some degree as the Machine (A) group has a lot of applications in it that could very welcome conflict with the VPN client but I am not sure how or why, and then again it doesn't explain the reason why a machine with a lot less applications installed on it exhibits the same behaviour from time to time.

    Any thoughts?

    Thanks
    Andrew

  • #2
    Re: Cisco VPN Client - Need Your Help!

    Could you post the config? Change the public IP and password details though.

    I would initially look for a line
    isakmp nat-traversal 20
    or similar.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Cisco VPN Client - Need Your Help!

      Originally posted by AndyJG247 View Post
      Could you post the config? Change the public IP and password details though.

      I would initially look for a line
      isakmp nat-traversal 20
      or similar.
      You want the 'show run' correct?

      Andrew

      Comment


      • #4
        Re: Cisco VPN Client - Need Your Help!

        yep please.
        Make sure you remove the password lines and change your public IP though
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Cisco VPN Client - Need Your Help!

          Originally posted by AndyJG247 View Post
          yep please.
          Make sure you remove the password lines and change your public IP though
          I am pretty sure I got everything....


          PIX-CO1# show run
          : Saved
          :
          PIX Version 8.0(3)
          !
          hostname PIX-CO1
          enable password encrypted
          names
          !
          interface Ethernet0
          nameif outside
          security-level 0
          ip address xxx.xxx.xxx.146 255.255.255.240 standby xxx.xxx.xxx.147
          !
          interface Ethernet1
          nameif inside
          security-level 100
          ip address 192.168.xxx.50 255.255.255.0 standby 192.168.xxx.51
          !
          interface Ethernet2
          description LAN/STATE Failover Interface
          !
          interface Ethernet3
          shutdown
          no nameif
          no security-level
          no ip address
          !
          passwd encrypted
          ftp mode passive
          object-group network APP_SRVRS
          network-object host 192.168.xxx.10
          network-object host 192.168.xxx.11
          network-object host 192.168.xxx.12
          network-object host 192.168.xxx.13
          access-list NONAT extended permit ip 192.168.xxx.0 255.255.255.0 192.168.xxx.0 255.255.255.0
          access-list NONAT extended permit ip 192.168.xxx.0 255.255.255.0 192.168.xxx.0 255.255.255.224
          access-list S2SVPN extended permit ip 192.168.xxx.0 255.255.255.0 192.168.xxx.0 255.255.255.0
          access-list ClientVPN extended permit ip 192.168.xxx.0 255.255.255.0 192.168.xxx.0 255.255.255.224
          access-list acl_in extended permit tcp any any eq ftp
          access-list acl_in extended permit tcp any any eq www
          access-list acl_in extended permit tcp any any eq https
          access-list acl_in extended permit tcp any any eq smtp
          access-list acl_in extended permit icmp host 192.168.xxx.10 any
          access-list acl_in extended permit icmp host 192.168.xxx.235 any
          access-list acl_in extended permit udp host 192.168.xxx.2 any eq domain
          access-list acl_in extended permit udp host 192.168.xxx.3 any eq domain
          access-list acl_in extended permit ip 192.168.xxx.0 255.255.255.0 192.168.xxx.0 255.255.255.0
          access-list acl_in extended permit udp host 192.168.xxx.15 any eq domain
          access-list acl_in extended permit tcp any any eq pop3
          access-list acl_in extended permit udp host 192.168.xxx.3 any eq ntp
          access-list acl_in extended permit udp host 192.168.xxx.2 any eq ntp
          access-list acl_in extended permit udp host 192.168.xxx.15 any eq ntp
          access-list acl_in extended permit tcp object-group APP_SRVRS any eq 3535
          access-list acl_in extended permit tcp object-group APP_SRVRS any eq 9832
          access-list acl_in extended permit tcp object-group APP_SRVRS any eq 9932
          access-list acl_in extended permit tcp object-group APP_SRVRS any eq 4800
          access-list acl_out extended permit tcp any host xxx.xxx.xxx.148 eq www
          access-list acl_out extended permit tcp any host xxx.xxx.xxx.148 eq https
          access-list acl_out extended permit icmp any host xxx.xxx.xxx.148
          access-list acl_out extended permit tcp any host xxx.xxx.xxx.146 eq ftp
          access-list acl_out extended permit tcp any host xxx.xxx.xxx.149 eq ftp
          pager lines 24
          logging enable
          logging trap debugging
          logging host inside 192.168.xxx.2
          mtu outside 1500
          mtu inside 1500
          ip local pool ippool1 192.168.xxx.1-192.168.xxx.30
          failover
          failover lan unit primary
          failover lan interface failover Ethernet2
          failover lan enable
          failover link failover Ethernet2
          failover interface ip failover 172.xxx.xxx.1 255.255.255.0 standby 172.xxx.xxx.2
          icmp unreachable rate-limit 1 burst-size 1
          asdm image flash:/asdm
          no asdm history enable
          arp timeout 14400
          global (outside) 1 interface
          nat (inside) 0 access-list NONAT
          nat (inside) 1 192.168.xxx.0 255.255.255.0
          static (inside,outside) tcp xxx.xxx.xxx.149 ftp 192.168.xxx.10 ftp netmask 255.255.255.255
          static (inside,outside) xxx.xxx.xxx.148 192.168.xxx.235 netmask 255.255.255.255
          access-group acl_out in interface outside
          access-group acl_in in interface inside
          route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.145 1
          timeout xlate 3:00:00
          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
          timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
          timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
          timeout uauth 0:05:00 absolute
          dynamic-access-policy-record DfltAccessPolicy
          no snmp-server location
          no snmp-server contact
          snmp-server enable traps snmp authentication linkup linkdown coldstart
          crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
          crypto dynamic-map OUTSIDE_DYN_MAP 20 set transform-set ESP-3DES-MD5
          crypto map OUTSIDE_MAP 30 match address S2SVPN
          crypto map OUTSIDE_MAP 30 set peer xxx.xxx.xxx.xxx
          crypto map OUTSIDE_MAP 30 set transform-set ESP-3DES-MD5
          crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic OUTSIDE_DYN_MAP
          crypto map OUTSIDE_MAP interface outside
          crypto isakmp identity address
          crypto isakmp enable outside
          crypto isakmp policy 10
          authentication pre-share
          encryption 3des
          hash md5
          group 2
          lifetime 86400
          crypto isakmp policy 20
          authentication pre-share
          encryption des
          hash md5
          group 1
          lifetime 86400
          crypto isakmp policy 65535
          authentication pre-share
          encryption 3des
          hash sha
          group 2
          lifetime 86400
          no crypto isakmp nat-traversal
          telnet xxx.xxx.xxx.0 255.255.255.0 inside
          telnet timeout 5
          ssh xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx outside
          ssh 192.168.xxx.0 255.255.255.0 inside
          ssh timeout 30
          ssh version 1
          console timeout 0
          threat-detection basic-threat
          threat-detection statistics access-list
          group-policy clientgroup internal
          group-policy clientgroup attributes
          dns-server value 192.168.xxx.2 192.168.xxx.15
          vpn-idle-timeout 20
          password-storage enable
          default-domain value servername.local
          username password encrypted
          username password encrypted
          username password encrypted
          username password encrypted
          username password encrypted
          username password encrypted
          username password encrypted
          username password encrypted
          username password encrypted
          username password encrypted
          username password encrypted privilege 15
          username password encrypted
          tunnel-group Users2VPN type remote-access
          tunnel-group Users2VPN general-attributes
          address-pool ippool1
          default-group-policy clientgroup
          tunnel-group Users2VPN ipsec-attributes
          pre-shared-key *
          tunnel-group xxx.xxx.xxx.155 type ipsec-l2l
          tunnel-group xxx.xxx.xxx.155 ipsec-attributes
          pre-shared-key *
          !
          class-map class_ftp
          match port tcp eq ftp-data
          class-map inspection_default
          match default-inspection-traffic
          !
          !
          policy-map type inspect dns preset_dns_map
          parameters
          message-length maximum 512
          policy-map global_policy
          class inspection_default
          inspect dns preset_dns_map
          inspect h323 h225
          inspect h323 ras
          inspect netbios
          inspect rsh
          inspect rtsp
          inspect skinny
          inspect sqlnet
          inspect sunrpc
          inspect tftp
          inspect sip
          inspect xdmcp
          inspect ftp
          inspect esmtp
          !
          service-policy global_policy global
          prompt hostname context
          Cryptochecksum:
          : end
          Last edited by SmoothRunnings; 7th April 2008, 19:14.

          Comment


          • #6
            Re: Cisco VPN Client - Need Your Help!

            Yep looks good, thanks.
            Bearing in mind that once a config is static then unreliability is usually down to connection problems rather than config but I would guess the following...

            I can't see if your interfaces are on auto or set. I would always recommend set to something like 100full. You may be able to see this if you do a show interface for the outside and inside. If there is a mismatch you will see errors on the int and it does give random problems with connections.

            also

            I notice
            "no crypto isakmp nat-traversal"

            which means you will possibly have issues.
            Is it possible to test with this set to

            crypto isakmp nat-traversal

            probably have to put a "20" on the end too but let me know the output if it doesn't like this.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Cisco VPN Client - Need Your Help!

              Originally posted by AndyJG247 View Post
              Yep looks good, thanks.
              Bearing in mind that once a config is static then unreliability is usually down to connection problems rather than config but I would guess the following...

              I can't see if your interfaces are on auto or set. I would always recommend set to something like 100full. You may be able to see this if you do a show interface for the outside and inside. If there is a mismatch you will see errors on the int and it does give random problems with connections.

              also

              I notice
              "no crypto isakmp nat-traversal"

              which means you will possibly have issues.
              Is it possible to test with this set to

              crypto isakmp nat-traversal

              probably have to put a "20" on the end too but let me know the output if it doesn't like this.
              Both interfaces are currently set to Auto and are syncing at 100Mbit/Full, how do I set the interface to full100?

              and does changing the no crypto to crypto affect anything on the PIX such as users not being able to login?

              a.
              Last edited by SmoothRunnings; 7th April 2008, 19:22.

              Comment


              • #8
                Re: Cisco VPN Client - Need Your Help!

                It depends on your connection but basically NAT generally breaks VPNs. This is a workaround for that.

                If you do a show interface do you see any errors? It is possible there won't be any but if there are then you will want to fix that as well.

                http://www.cisco.com/en/US/docs/secu...html#wp1804703
                should give the commands but you can always just type interface and see what it brings up. Have a look for errors first though as it may not be necessary if all is ok.
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: Cisco VPN Client - Need Your Help!

                  Originally posted by AndyJG247 View Post
                  It depends on your connection but basically NAT generally breaks VPNs. This is a workaround for that.

                  If you do a show interface do you see any errors? It is possible there won't be any but if there are then you will want to fix that as well.

                  http://www.cisco.com/en/US/docs/secu...html#wp1804703
                  should give the commands but you can always just type interface and see what it brings up. Have a look for errors first though as it may not be necessary if all is ok.
                  interface outside:

                  456339889 packets input, 242183700926 bytes, 0 no buffer
                  Received 115136 broadcasts, 0 runts, 0 giants
                  4 input errors, 0 CRC, 0 frame, 4 overrun, 0 ignored, 0 abort
                  0 L2 decode drops
                  527982603 packets output, 289771898794 bytes, 0 underruns
                  0 output errors, 0 collisions, 0 interface resets
                  0 babbles, 0 late collisions, 0 deferred
                  0 lost carrier, 0 no carrier
                  input queue (curr/max packets): hardware (0/1) software (0/204)
                  output queue (curr/max packets): hardware (0/103) software (0/4)
                  Traffic Statistics for "outside":
                  457336487 packets input, 234803909889 bytes
                  527982616 packets output, 280815989190 bytes
                  1948296 packets dropped


                  Interface inside:

                  540056844 packets input, 290443260914 bytes, 0 no buffer
                  Received 12263746 broadcasts, 0 runts, 0 giants
                  942 input errors, 0 CRC, 0 frame, 942 overrun, 0 ignored, 0 abort
                  0 L2 decode drops
                  521192839 packets output, 252737092148 bytes, 0 underruns
                  0 output errors, 49984 collisions, 0 interface resets
                  0 babbles, 47865 late collisions, 3097 deferred
                  3 lost carrier, 0 no carrier
                  input queue (curr/max packets): hardware (0/1) software (0/397)
                  output queue (curr/max packets): hardware (0/12 software (0/12)
                  Traffic Statistics for "inside":
                  541302046 packets input, 281944381080 bytes
                  521284352 packets output, 243704581300 bytes
                  13519303 packets dropped

                  I am not sure if the collisions are the kinds of errors you are referring to?

                  Andrew

                  Comment


                  • #10
                    Re: Cisco VPN Client - Need Your Help!

                    Originally posted by SmoothRunnings View Post

                    Interface inside:

                    540056844 packets input, 290443260914 bytes, 0 no buffer
                    Received 12263746 broadcasts, 0 runts, 0 giants
                    942 input errors, 0 CRC, 0 frame, 942 overrun, 0 ignored, 0 abort
                    0 L2 decode drops
                    521192839 packets output, 252737092148 bytes, 0 underruns
                    0 output errors, 49984 collisions, 0 interface resets
                    0 babbles, 47865 late collisions, 3097 deferred
                    3 lost carrier, 0 no carrier
                    input queue (curr/max packets): hardware (0/1) software (0/397)
                    output queue (curr/max packets): hardware (0/12 software (0/12)
                    Traffic Statistics for "inside":
                    541302046 packets input, 281944381080 bytes
                    521284352 packets output, 243704581300 bytes
                    13519303 packets dropped

                    I am not sure if the collisions are the kinds of errors you are referring to?

                    Andrew
                    By looking at your inside interface, I think you have duplex mismatch.
                    CCNA, Network+

                    Comment


                    • #11
                      Re: Cisco VPN Client - Need Your Help!

                      Yep collisons aren't good but to be fair there aren't that many compared to the amount that have gone through. Will you have chance to try the nat-traversal?
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment

                      Working...
                      X