VPN Pix 501 issue

Unanswered Question
Jun 14th, 2007
User Badges:

attempting to configure the following.

h - p1 - I - p2

h - host

p1 - 501 PIX (I control)

I - Internet

p2 - Cisco Device with VPN enabled.

I can VPN from home into p1 and establish connection however when behind p1 and I attempt to VPN to P2 I can establish a connection however can't pass traffic. I have PAT running on my pix (p1)

I understand that I should not have the 101 ACLs configured the way they are currently, just trying to rule out that my ACLs were not blocking.



Does the 501 allow this functionality?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 06/14/2007 - 04:32
User Badges:
  • Green, 3000 points or more

What device is p2? If it is a pix you need the command isakmp nat-traversal. Whatever it is needs nat-t.

tstrunce Thu, 06/14/2007 - 04:47
User Badges:

Unfortunately I have no control over p2, this is a customers device. I do not have a VPN tunnel connecting the two devices, I just want to be able to use the cisco client from inside p1 and connect to p2.

I am able to connect if I remove p1 and replace it with a linksys. P1 is not allowing something..I just don't know what it is.

acomiskey Thu, 06/14/2007 - 04:55
User Badges:
  • Green, 3000 points or more

tstrunce, that is not necessarily the case. I understand you are not tunneling between the devices. Since you pix is doing pat, you must be able to do nat-traversal from you client. This means your client must be configured and the remote end point must be configured for nat-t. Your pix is not blocking anything.

Another option is to do "fixup protocol esp-ike" on your pix, this will allow for one vpn connection and one only. You will also not be able to terminate vpn's on your pix.

A one to one static on your client will help as well if you have an extra ip address.

tstrunce Thu, 06/14/2007 - 05:04
User Badges:

ok, I understand now..PAT is the issue.

fixup protocol esp-ike is not an option because I need users to be able to VPN in. I've seen this command before in the past, just didn't understand what it did.

How does a 1 to 1 static work? I understand that I would need another external IP address on my side however would the other IP address be the external interface on p2?

BTW...thanks so much for the response!

acomiskey Thu, 06/14/2007 - 05:10
User Badges:
  • Green, 3000 points or more

It works like this...basically it would nat the client to, not pat, therfore allowing you to connect.

static (inside,outside) netmask

tstrunce Thu, 06/14/2007 - 05:18
User Badges:

so basically

static (inside,outside) netmask <32-bit>

which would be a specific single host surfing the internet using NAT.

acomiskey Thu, 06/14/2007 - 05:18
User Badges:
  • Green, 3000 points or more

You could also try "isakmp nat-traversal" in your pix. I have heard this may help, but not in my experience. Make sure you have enabled transparent tunneling in your vpn client config, udp 4500.

tstrunce Thu, 06/14/2007 - 05:49
User Badges:

I'll give the isakmp nat-traversal a try..I wasn't aware of enabling transparent tunneling in my VPN client config, UDP 4500.

acomiskey Thu, 06/14/2007 - 05:59
User Badges:
  • Green, 3000 points or more

I think it's usually enabled by default. Ipsec over udp on the transport tab. Can you find out if the remote site device is allowing nat-t?

tstrunce Thu, 06/14/2007 - 06:01
User Badges:

yes but will take some time for them to get back to me :(

calling them and waiting a call back


This Discussion