VPN client through PIX to client site

Unanswered Question
Jun 5th, 2007
User Badges:

I have a PIX 515e running 6.3(5) with multiple site-to-site vpns configured and all is well. However when a user inside my LAN tries to launch a vpn client, whether it is Cisco IPSec or MS SSL, in order to connect to a client (these clients are not part of any of our site-to-site tunnels) they cannot get a connection.

My setup is lan ->pix->2691 router-> internet.

If I put my laptop in between the pix and the router with a public address I can get to any of these clients without any problems.

I have NAT-T enabled as well as sysopt connection permit-ipsec.

With Ethereal I see traffic going out but not coming back in.

Any help?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m.sir Tue, 06/05/2007 - 22:05
User Badges:
  • Gold, 750 points or more

did you permit UDP ports 500 and 4500 on the PIX???

Also check that in your VPN client (transport tab) is enabled transport tunneling (IPsec over UDP)


pstebner1 Wed, 06/06/2007 - 07:45
User Badges:

I did explicity permit those ports, though I never see them take hits in the access-list.

I found out that certain client VPN connections do work from inside the LAN here. It appears that the one specific client IPSec VPN problem is with a client who is not using NAT. I cannot turn off NAT-T here as I have site-to-site tunnels configured. Is there a way around this? Also, I still have issues with MS SSL VPNs.



pstebner1 Wed, 06/06/2007 - 08:53
User Badges:

I just figured out how to do it - I had to use a static NAT statement so that I could bypass PAT and not be affected by NAT-T.

access-list VPNACCESS permit ip mylocalip remoteclassB

static (inside,outside) 69.xx.yy.zzz access-list VPNACCESS



This Discussion