Question about cisco VPN access

nice343 · September 2007

I set up a VPN on our company router and from outside the internet the only computer that can be accessed by the VPN is the DNS/Active directory server. After a user autheticates, they can ping hosts in the company but cannot access the host except the server. Anyone else know what might be the problem?

I know it is not a cisco problem because when I connect to the VPN server I can ping anything on the network but when it comes to network access only the server can be accessed. The hosts can be pinged but they cannot be accessed. I am going nuts right now.

leefdaddy · September 2007

how are you trying to access them??

is remote desktop enabled on the clients?

nice343 · September 2007

leefdaddy wrote:

how are you trying to access them??

is remote desktop enabled on the clients?

remote desktop works fine.

but when I do \\192.168.15.1 the host cannot be accessed, I get an error but when I ping 192.168.15.1 it works fine.

remote desktop works but that is not what I am experimenting with

the address are public not private, I don't want to type the public ones but I hope you get the idea

paintb4707 · September 2007

nice343 wrote:

leefdaddy wrote:

how are you trying to access them??

is remote desktop enabled on the clients?

remote desktop works fine.

but when I do \\192.168.15.1 the host cannot be accessed, I get an error but when I ping 192.168.15.1 it works fine.

remote desktop works but that is not what I am experimenting with

the address are public not private, I don't want to type the public ones but I hope you get the idea

Correct me if I'm wrong, but doesn't the RPC command have to be used with a private address?

nice343 · September 2007

paintb4707 wrote:

nice343 wrote:

leefdaddy wrote:

how are you trying to access them??

is remote desktop enabled on the clients?

remote desktop works fine.

but when I do \\192.168.15.1 the host cannot be accessed, I get an error but when I ping 192.168.15.1 it works fine.

remote desktop works but that is not what I am experimenting with

the address are public not private, I don't want to type the public ones but I hope you get the idea

Correct me if I'm wrong, but doesn't the RPC command have to be used with a private address?

the address internal address are public not private. WhenI connect to the server I can ping everythin on the network but can only access the DNS server

APA · September 2007

Do you have ACL's allowing the VPN IP range access to your internal clients???

nice343 · September 2007

A.P.A wrote:

Do you have ACL's allowing the VPN IP range access to your internal clients???

I have created a VPN pool but what happens is when a client connects over the internet, that Ip address is inserted into the routing table.

I don't have ACL blocking the range the VPN addresses. But I do have ACL on the router which permits pop3, smtp, dns and some of the regular ports, I don't know if thers a port I have to open for the VPN clients to be able to extablish connectivity more than just a ping? or it is just a microsoft problem not cisco?

APA · September 2007

yeah thats fine... The range will always be inserted into the routing table........

But you will need to provide access so that the VPN range can access your internal clients. either IP for everything or tcp\udp for whatever ports you want them to access........

Are you able to provide some more info (eg the setup and what you currently have) this way we can get a better idea of where you are going wrong.....

I seriously think it is an access-permission issue.....

nice343 · September 2007

Current configuration : 4156 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password xxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
ip cef
!
!
!
!
ip domain name xxxxxxxxxxxx
ip name-server xxxxxxxxxxxxxxxxxx
!
multilink bundle-name authenticated
!
!
!
!
!
username xxxxxxx password 0 xxxxxx
username xxxxxxx privilege 15 secret 5 $1$W6qA$5ZeE7gV6otwRd/ts4oGvA.
username xxxxx privilege 15 secret 5 $1$X29A$8JANeNVDxebDScBhmWVr50
!
vlan internal allocation policy ascending
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Bytesso
key xxxxxxxx
dns xxxxxxxx
domain xxxxxxxxx
pool SDM_POOL_1
netmask 255.255.255.248
crypto isakmp profile sdm-ike-profile-1
match identity group Bytesso
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
ip local pool SDM_POOL_1 192.160.163.11 192.160.163.13

interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1

everything works fine including remote desktop and ping, I just can't access files for some reason except the on on the DNS/ active directory

APA · September 2007

So RDP is working???

Have you check your share permissions on the servers that you are trying to access????

Are the users using A.D to authenticate???

nice343 · September 2007

A.P.A wrote:

So RDP is working???

Have you check your share permissions on the servers that you are trying to access????

Are the users using A.D to authenticate???

users use local database on the router

remote desktop is working but I want the vpn clients to connect to access shared folders without

using remote desktop

blargoe · September 2007

so you can ping and rdp but not browse a share...

what is the exact error that you get?

nice343 · September 2007

blargoe wrote:

so you can ping and rdp but not browse a share...

what is the exact error that you get?

"network path was not found"

APA · September 2007

By using process of elimination..... What is different between the hosts you can't access and the DNS\A.D Server......?????

nice343 · September 2007

A.P.A wrote:

By using process of elimination..... What is different between the hosts you can't access and the DNS\A.D Server......?????

the hosts are connected over the internet

gojericho0 · September 2007

Can you UNC path into a workstation directly from the Server console and not going through the VPN?

nice343 · September 2007

gojericho0 wrote:

Can you UNC path into a workstation directly from the Server console and not going through the VPN?

yes

gojericho0 · September 2007

OK, will the ACL on the router allow TCP ports 139 and 445 to connect to the hosts?

This is for Netbios and CIFS the protocols used for accessing file sharing

Ahriakin · September 2007

Have you cleared port 445 on your router for the VPN subnets -> Private? Also what happens if you specify a share rather than try to enumerate them as you are doing (ie. \\192.168.xxx.xxx\c$ )?

nice343 · September 2007

Ahriakin wrote:

Have you cleared port 445 on your router for the VPN subnets -> Private? Also what happens if you specify a share rather than try to enumerate them as you are doing (ie. \\192.168.xxx.xxx\c$ )?

I tried it and it doesn't work and what do you mean by clear ports

nice343 · September 2007

gojericho0 wrote:

OK, will the ACL on the router allow TCP ports 139 and 445 to connect to the hosts?

This is for Netbios and CIFS the protocols used for accessing file sharing

should I permit any tcp connection to the internal network through ports 139 and 445?

is that what you are trying to say?

Question about cisco VPN access

Comments