VPN Pix 501 issue

Unanswered Question
Jun 14th, 2007

attempting to configure the following.

h - p1 - I - p2

h - host

p1 - 501 PIX (I control)

I - Internet

p2 - Cisco Device with VPN enabled.

I can VPN from home into p1 and establish connection however when behind p1 and I attempt to VPN to P2 I can establish a connection however can't pass traffic. I have PAT running on my pix (p1)

I understand that I should not have the 101 ACLs configured the way they are currently, just trying to rule out that my ACLs were not blocking.

Thanks

-T-

Does the 501 allow this functionality?

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 06/14/2007 - 04:32

What device is p2? If it is a pix you need the command isakmp nat-traversal. Whatever it is needs nat-t.

tstrunce Thu, 06/14/2007 - 04:47

Unfortunately I have no control over p2, this is a customers device. I do not have a VPN tunnel connecting the two devices, I just want to be able to use the cisco client from inside p1 and connect to p2.

I am able to connect if I remove p1 and replace it with a linksys. P1 is not allowing something..I just don't know what it is.

acomiskey Thu, 06/14/2007 - 04:55

tstrunce, that is not necessarily the case. I understand you are not tunneling between the devices. Since you pix is doing pat, you must be able to do nat-traversal from you client. This means your client must be configured and the remote end point must be configured for nat-t. Your pix is not blocking anything.

Another option is to do "fixup protocol esp-ike" on your pix, this will allow for one vpn connection and one only. You will also not be able to terminate vpn's on your pix.

A one to one static on your client will help as well if you have an extra ip address.

tstrunce Thu, 06/14/2007 - 05:04

ok, I understand now..PAT is the issue.

fixup protocol esp-ike is not an option because I need users to be able to VPN in. I've seen this command before in the past, just didn't understand what it did.

How does a 1 to 1 static work? I understand that I would need another external IP address on my side however would the other IP address be the external interface on p2?

BTW...thanks so much for the response!

acomiskey Thu, 06/14/2007 - 05:10

It works like this...basically it would nat the client 192.168.1.1 to 1.1.1.1, not pat, therfore allowing you to connect.

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

tstrunce Thu, 06/14/2007 - 05:18

so basically

static (inside,outside) netmask <32-bit>

which would be a specific single host surfing the internet using NAT.

acomiskey Thu, 06/14/2007 - 05:18

You could also try "isakmp nat-traversal" in your pix. I have heard this may help, but not in my experience. Make sure you have enabled transparent tunneling in your vpn client config, udp 4500.

tstrunce Thu, 06/14/2007 - 05:49

I'll give the isakmp nat-traversal a try..I wasn't aware of enabling transparent tunneling in my VPN client config, UDP 4500.

acomiskey Thu, 06/14/2007 - 05:59

I think it's usually enabled by default. Ipsec over udp on the transport tab. Can you find out if the remote site device is allowing nat-t?

tstrunce Thu, 06/14/2007 - 06:01

yes but will take some time for them to get back to me :(

calling them and waiting a call back

Actions

This Discussion