cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
509
Views
0
Helpful
11
Replies

VPN Pix 501 issue

tstrunce
Level 1
Level 1

attempting to configure the following.

h - p1 - I - p2

h - host

p1 - 501 PIX (I control)

I - Internet

p2 - Cisco Device with VPN enabled.

I can VPN from home into p1 and establish connection however when behind p1 and I attempt to VPN to P2 I can establish a connection however can't pass traffic. I have PAT running on my pix (p1)

I understand that I should not have the 101 ACLs configured the way they are currently, just trying to rule out that my ACLs were not blocking.

Thanks

-T-

Does the 501 allow this functionality?

11 Replies 11

acomiskey
Level 10
Level 10

What device is p2? If it is a pix you need the command isakmp nat-traversal. Whatever it is needs nat-t.

Unfortunately I have no control over p2, this is a customers device. I do not have a VPN tunnel connecting the two devices, I just want to be able to use the cisco client from inside p1 and connect to p2.

I am able to connect if I remove p1 and replace it with a linksys. P1 is not allowing something..I just don't know what it is.

tstrunce, that is not necessarily the case. I understand you are not tunneling between the devices. Since you pix is doing pat, you must be able to do nat-traversal from you client. This means your client must be configured and the remote end point must be configured for nat-t. Your pix is not blocking anything.

Another option is to do "fixup protocol esp-ike" on your pix, this will allow for one vpn connection and one only. You will also not be able to terminate vpn's on your pix.

A one to one static on your client will help as well if you have an extra ip address.

ok, I understand now..PAT is the issue.

fixup protocol esp-ike is not an option because I need users to be able to VPN in. I've seen this command before in the past, just didn't understand what it did.

How does a 1 to 1 static work? I understand that I would need another external IP address on my side however would the other IP address be the external interface on p2?

BTW...thanks so much for the response!

It works like this...basically it would nat the client 192.168.1.1 to 1.1.1.1, not pat, therfore allowing you to connect.

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

so basically

static (inside,outside) netmask <32-bit>

which would be a specific single host surfing the internet using NAT.

Yes.

You could also try "isakmp nat-traversal" in your pix. I have heard this may help, but not in my experience. Make sure you have enabled transparent tunneling in your vpn client config, udp 4500.

I'll give the isakmp nat-traversal a try..I wasn't aware of enabling transparent tunneling in my VPN client config, UDP 4500.

I think it's usually enabled by default. Ipsec over udp on the transport tab. Can you find out if the remote site device is allowing nat-t?

yes but will take some time for them to get back to me :(

calling them and waiting a call back

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: