06-14-2007 04:11 AM
attempting to configure the following.
h - p1 - I - p2
h - host
p1 - 501 PIX (I control)
I - Internet
p2 - Cisco Device with VPN enabled.
I can VPN from home into p1 and establish connection however when behind p1 and I attempt to VPN to P2 I can establish a connection however can't pass traffic. I have PAT running on my pix (p1)
I understand that I should not have the 101 ACLs configured the way they are currently, just trying to rule out that my ACLs were not blocking.
Thanks
-T-
Does the 501 allow this functionality?
06-14-2007 04:32 AM
What device is p2? If it is a pix you need the command isakmp nat-traversal. Whatever it is needs nat-t.
06-14-2007 04:47 AM
Unfortunately I have no control over p2, this is a customers device. I do not have a VPN tunnel connecting the two devices, I just want to be able to use the cisco client from inside p1 and connect to p2.
I am able to connect if I remove p1 and replace it with a linksys. P1 is not allowing something..I just don't know what it is.
06-14-2007 04:55 AM
tstrunce, that is not necessarily the case. I understand you are not tunneling between the devices. Since you pix is doing pat, you must be able to do nat-traversal from you client. This means your client must be configured and the remote end point must be configured for nat-t. Your pix is not blocking anything.
Another option is to do "fixup protocol esp-ike" on your pix, this will allow for one vpn connection and one only. You will also not be able to terminate vpn's on your pix.
A one to one static on your client will help as well if you have an extra ip address.
06-14-2007 05:04 AM
ok, I understand now..PAT is the issue.
fixup protocol esp-ike is not an option because I need users to be able to VPN in. I've seen this command before in the past, just didn't understand what it did.
How does a 1 to 1 static work? I understand that I would need another external IP address on my side however would the other IP address be the external interface on p2?
BTW...thanks so much for the response!
06-14-2007 05:10 AM
It works like this...basically it would nat the client 192.168.1.1 to 1.1.1.1, not pat, therfore allowing you to connect.
static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255
06-14-2007 05:18 AM
so basically
static (inside,outside)
which would be a specific single host surfing the internet using NAT.
06-14-2007 05:19 AM
Yes.
06-14-2007 05:18 AM
You could also try "isakmp nat-traversal" in your pix. I have heard this may help, but not in my experience. Make sure you have enabled transparent tunneling in your vpn client config, udp 4500.
06-14-2007 05:49 AM
I'll give the isakmp nat-traversal a try..I wasn't aware of enabling transparent tunneling in my VPN client config, UDP 4500.
06-14-2007 05:59 AM
I think it's usually enabled by default. Ipsec over udp on the transport tab. Can you find out if the remote site device is allowing nat-t?
06-14-2007 06:01 AM
yes but will take some time for them to get back to me :(
calling them and waiting a call back
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide