VPN Pix 501 issue

Unanswered Question
Jun 14th, 2007
User Badges:

attempting to configure the following.


h - p1 - I - p2


h - host

p1 - 501 PIX (I control)

I - Internet

p2 - Cisco Device with VPN enabled.


I can VPN from home into p1 and establish connection however when behind p1 and I attempt to VPN to P2 I can establish a connection however can't pass traffic. I have PAT running on my pix (p1)


I understand that I should not have the 101 ACLs configured the way they are currently, just trying to rule out that my ACLs were not blocking.


Thanks

-T-


Does the 501 allow this functionality?



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 06/14/2007 - 04:32
User Badges:
  • Green, 3000 points or more

What device is p2? If it is a pix you need the command isakmp nat-traversal. Whatever it is needs nat-t.

tstrunce Thu, 06/14/2007 - 04:47
User Badges:

Unfortunately I have no control over p2, this is a customers device. I do not have a VPN tunnel connecting the two devices, I just want to be able to use the cisco client from inside p1 and connect to p2.


I am able to connect if I remove p1 and replace it with a linksys. P1 is not allowing something..I just don't know what it is.

acomiskey Thu, 06/14/2007 - 04:55
User Badges:
  • Green, 3000 points or more

tstrunce, that is not necessarily the case. I understand you are not tunneling between the devices. Since you pix is doing pat, you must be able to do nat-traversal from you client. This means your client must be configured and the remote end point must be configured for nat-t. Your pix is not blocking anything.


Another option is to do "fixup protocol esp-ike" on your pix, this will allow for one vpn connection and one only. You will also not be able to terminate vpn's on your pix.


A one to one static on your client will help as well if you have an extra ip address.

tstrunce Thu, 06/14/2007 - 05:04
User Badges:

ok, I understand now..PAT is the issue.


fixup protocol esp-ike is not an option because I need users to be able to VPN in. I've seen this command before in the past, just didn't understand what it did.


How does a 1 to 1 static work? I understand that I would need another external IP address on my side however would the other IP address be the external interface on p2?


BTW...thanks so much for the response!



acomiskey Thu, 06/14/2007 - 05:10
User Badges:
  • Green, 3000 points or more

It works like this...basically it would nat the client 192.168.1.1 to 1.1.1.1, not pat, therfore allowing you to connect.


static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

tstrunce Thu, 06/14/2007 - 05:18
User Badges:

so basically


static (inside,outside) netmask <32-bit>


which would be a specific single host surfing the internet using NAT.

acomiskey Thu, 06/14/2007 - 05:18
User Badges:
  • Green, 3000 points or more

You could also try "isakmp nat-traversal" in your pix. I have heard this may help, but not in my experience. Make sure you have enabled transparent tunneling in your vpn client config, udp 4500.

tstrunce Thu, 06/14/2007 - 05:49
User Badges:

I'll give the isakmp nat-traversal a try..I wasn't aware of enabling transparent tunneling in my VPN client config, UDP 4500.

acomiskey Thu, 06/14/2007 - 05:59
User Badges:
  • Green, 3000 points or more

I think it's usually enabled by default. Ipsec over udp on the transport tab. Can you find out if the remote site device is allowing nat-t?

tstrunce Thu, 06/14/2007 - 06:01
User Badges:

yes but will take some time for them to get back to me :(


calling them and waiting a call back

Actions

This Discussion