problem with VPN connection from VPN client to HO PIX

Unanswered Question
Feb 9th, 2007

HI All, I am facing a problem with one of my branch users. Actaully branch users are not able to communicate with Head Office server over vpn using cisco VPN client. At head office vpn is terminating on cisco router & behind it there is PIX firewall. at branch office we have PIX firewall on which we have terminated our ADSL connection with static public ip assigned by ISP. Now the problem is that when i remove the PIX from branch office & connect the adsl directly to a PC users r successfully connecting to VPN & can communicate to HO server but when I install PIX at branch office then they successfuly connect to vpn, get the IP from HO cisco router but not able to communicate with HO servers infect any IP at HO. Please help me its very urgent. I am attaching the config of HO-Router,HO-PIX & branch office PIX.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vkapoor5 Thu, 02/15/2007 - 11:33

Before you can establish a VPN connection, you must have:

At least one connection entry configured on the VPN Client

User authentication information. This includes your username and password, and depending on the configuration of your connection entry, might also include:

Passwords for RADIUS authentication

VPN group name and password for connections to VPN devices

PINs for RSA Data Security

Digital certificates and associated passwords

An Internet connection

Jon Marshall Fri, 02/16/2007 - 03:08

Hi

I think the problem you have here is that the Pix 506 is doing PAT and you have no exemption for your VPN clients. You can do one of two things

1) Enable NAT-T on your headend router.

2) Create a NAT exemption for the VPN clients on your Pix506.

Attached is a link to a Cisco doc for troublshooting common IPsec problems. Both solutions 1 & 2 are covered in this doc.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

HTH

Jon

jain.nitin Mon, 02/19/2007 - 03:09

Thanks Jon,

Its working. We have enabled NTA-T at head end router now PIX 506 side client are able to access HO but now I have another problem, problem is other vpn client is now facing slowness which were working fine before connecting this new branch.Actually we upgrade the IOS of this headend router along with enabling NAT-T. I dont know where is the problem now.

please help me.

Thanks

Ninja

Actions

This Discussion