cisco vpn help needed

[fjorner]

Hey folks

Using Windows XP Home and a Dell Truemobile 1184 router at home.

I can connect to my work's CISCO VPN with IPSec/TCP.

But I cannot see any network drives or workgroup. As in, I can't use remote desktop to get into my windows server 2000 machine - or any machine - at the office. Can somebody help me with the configuration of my home machine? I do assume its a configuration problem on my machine. Obviously, other people can log into the VPN and remote desktop in.

Also, I do suspect the problem isn't with Remote Desktop (even though I am forwarding UDP 3389 to my machine in my router).

Is this a limitation of XP Home? Please help!

BTW, I can see my home network workgroup. Is this overriding or replacing the VPN's inherited workgroup at work?

 

[ScottMac]

Have you tried it with "Transparent Tunneling / UDP?"

Usually it's the other way around. Once you connect to the VPN, unless specifically permitted by the server, you wouldn't have access to your LAN and / or access outside the tunnel to the Internet.

Which version of Cisco's client are you using?

If it's in the 3's or early 4s, you might check out a new version of the client software. I think 4.06 is current (or at least recent).

Good Luck

Scott

 

[Cooky]

Make sure the IP scheme at home and work don't overlap - if both use 192.168.1.x / 24, then chances are your PC can't tell how to route traffic.
Do an ipconfig and tell us what you see. You should get 2 results.

 

[JRock]

Originally posted by: Cooky
Make sure the IP scheme at home and work don't overlap - if both use 192.168.1.x / 24, then chances are your PC can't tell how to route traffic.
Do an ipconfig and tell us what you see. You should get 2 results.

:thumbsup: happend to me when i made a static tunnel from our main office to my house. I accidently used a scheme that was in use and another location accross the frame and even that didnt allow me to resolve anything at home from being at the office. Made the changes and it worked fine.

 

[spidey07]

you'll still need some kind of name resolution (wins, DNS)

Once connected the VPN concentrator should provide the IP information (address, mask, dns, wins, etc). The DNS/WINS server would be the ones on the work network you are connecting to.

 

[fjorner]

OK, thanks for the replies folks. Let me know what else to look at...

C:\Documents and Settings\Owner>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.2.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . : xxxx.com
IP Address. . . . . . . . . . . . : 10.x.x.xx
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . :

Marked out some stuff with x's for privacy.

Doesn't look like I'm getting a gateway for network connection 3, which is the VPN Client 4.6.00.0045

I have enabled transparent tunnelling over TCP port 10000, and I am forwarding port 10000 to my IP address in my router.

Should I do the setup a small or home office network wizard? what options if so?

 

[spidey07]

Nah, just talk to the people who run the VPN concentrator.

 

[fjorner]

Is the problem on their end? My other coworkers have no problem getting to the VPN and getting into remote desktop, network drives, etc.

 

[spidey07]

well if you've messed with any of the settings the client may have to be reconfigured.

Make sure you don't have any firewall, are not behind any NAT routers/devices as well. Even though you changed it to "nat traversal" the concentrator has to be setup for that as well.

 

[nightowl]

Can you get anywhere on your corporate network when you are VPN'ed in? Your default gateway should be the same as your IP address for the VPN tunnel and unless your company has some firewall policies in place to block the traffic that you specified it should work fine. Also, the reason that you cannot get to your home network when you are VPN'ed in is that your company probably does not have split tunneling enabled which means that all traffic that goes to and from your PC is sent over the VPN tunnel.

 

[fjorner]

well if you've messed with any of the settings the client may have to be reconfigured.

Haven't, using the file that my IT department provided.

Make sure you don't have any firewall, are not behind any NAT routers/devices as well. Even though you changed it to "nat traversal" the concentrator has to be setup for that as well.

I was behind a NAT router. But even when I plugged my cat5 directly into my cable modem, bypassing and disconnecting the router, I still couldn't see anything.

Can you get anywhere on your corporate network when you are VPN'ed in?

No. When I am connected to the VPN, I can't do anything new that I couldn't do while not connected. No networked drives, no drive mappings, nothing in network places.

Your default gateway should be the same as your IP address for the VPN tunnel and unless your company has some firewall policies in place to block the traffic that you specified it should work fine.

Not sure about the gateway/IP address, I assume there is a config problem there. My company doesn't have any firewall policies against this, many of my other coworkers use this service.

Also, the reason that you cannot get to your home network when you are VPN'ed in is that your company probably does not have split tunneling enabled which means that all traffic that goes to and from your PC is sent over the VPN tunnel.

I CAN get on to my home network. That remains unchanged. I CANNOT see my work network, which is the problem.

Any more suggestions are welcome!

 

[spidey07]

do "ipconfig/all" while connected.

See if you have DNS or WINS servers listed.

From a command prompt type "ping x.x.x.x" using the ip address of your DNS or WINS server. That will confirm basic IP connectivity through the VPN.

 

[fjorner]

C:\Documents and Settings\Owner>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : compaq
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xxxx.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
rnet NIC
Physical Address. . . . . . . . . : 00-40-2B-66-E5-xx
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
Lease Obtained. . . . . . . . . . : Tuesday, September 13, 2005 6:59:12
PM
Lease Expires . . . . . . . . . . : Friday, September 16, 2005 6:59:12 P
M

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . : uclc.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.2.x.11
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.1.0.xxx
10.32.2.xxx
Primary WINS Server . . . . . . . : 10.1.0.11
Secondary WINS Server . . . . . . : 10.1.0.12



Okay folks, see above the ipconfig/all. I'm now officially offering a $5 award for the person who helps me solve this problem, to be paid via paypal. 🙂

I CAN ping the VPN adapter's DNS servers but I CANNOT ping by VPN adapters WINS servers...

Please review my big post two posts previous. Any more ideas??

 

[fjorner]

well folks, I brought home a work laptop. I could get into the VPN and remote desktop no problems. So the problem in this situation, meticulously detailed above, is obviously [Zoolander] In the computer! [/Zoolander]

Does that turn any lightbulbs on?

 

[JRock]

Originally posted by: fjorner
C:\Documents and Settings\Owner>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : compaq

Problem found! It's a Crapaq 😉

 

[fjorner]

LOL ok I admit that's funny. 😀

I used to and still do dislike Compaq... this is a 2.4ghz celeron from Compusa for $300. I've since put in 512 mem and a 128 pci vid card and it does everythign I want it to do, including video editing and cd burning, Madden 2006, Far Cry, photoshop, IE, etc. I'm not giving any praise to celeron or compaq, just to my own resourcefulness and lowered expectations. 😀

Any other leads? I think I'm just going to have to upgrade to xp pro eventually to see if that's the problem.

 

[subflava]

Check your route details in the Cisco client when you are connected. See what networks the adapter has routes for.

 

[Rogue]

I saw this problem recently with one of our people behind someone else's firewall. Make sure that IP 50 is permitted through the firewall in all directions. My users were able to connect, draw an IP, etc. but could not do anything on my network once connected. The firewall admin at the remote location opened TCP 50 instead of IP 50 (ESP). Check to make sure someone else didn't make that mistake or failed to clear ESP in the firewall somewhere. I'll take my $5 now, thanks. 😉

 

[netsysadmin]

When you took the work laptop home were you logging into a domain account that you usually use at work? As opposed to using using a local account on your home laptop since XP home cannot be joined to a domain. If that was the case you could be picking up the login scripts from work when you logged in which will map drives...etc.

Oh and one other item...is your XP firewall enabled? If so try turning that off also.

John

 

[fjorner]

Originally posted by: netsysadmin
When you took the work laptop home were you logging into a domain account that you usually use at work? As opposed to using using a local account on your home laptop since XP home cannot be joined to a domain. If that was the case you could be picking up the login scripts from work when you logged in which will map drives...etc.

On my work laptop, I couldn't logon to the domain and get the domain script without first being on the VPN, right?

Oh and one other item...is your XP firewall enabled? If so try turning that off also.

That was the first thing I turned off. I wish it were that easy. 😀

Originally posted by: Rogue
The firewall admin at the remote location opened TCP 50 instead of IP 50 (ESP). Check to make sure someone else didn't make that mistake or failed to clear ESP in the firewall somewhere.

Like I said, I could get in with another computer behind the same router/firewall, I am fairly certain that the problem is [zoolander] in the computer [/zoolander], as opposed to in my router or my work's vpn setup.