IPSec VPN between PIX and Cisco VPN Client

Unanswered Question
Jul 28th, 2007

Hi, all

I have a problem deploying Remote Access VPN between PIX (PIX OS 6.3(4)) and Cisco VPN Client 5.0.00.0340.

The current situation is I have IPSec tunnel established, I can see with the capture tool that ICMP Echo packets are coming from Remote VPN Client through the IPSec tunnel to PIX, next PIX forwards them into the inside interface towards the destination host. Then I see ICMP Echo Reply packets returning from the destination host, and the last thing that PIX has to do is forward the ICMP Echo Reply pakets into the tunnel towars the Remote VPN Client, but PIX doesn't do this.

I think I have all the stuff configured properly:

1) I have nat (inside) 0 statement to avoid Network Address Translation (NAT) on the IPSec packets.

2) I have sysopt connection permit-ipsec.

3) I have isakmp nat-traversal 20 statement.

3) I don't have any access lists to filter traffic on the inside interface.

So, to me, it looks like a bug. I have looked through the bug tool on cisco.com, but I haven't found any similar bugs. Maybe somebody has already faced with a similar problem or knows how to fix that problem, any help would be greatly appreciated.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
saiiven07 Sun, 07/29/2007 - 05:34

Hi,

The ip address of the host that I'm trying to ping is 192.168.211.9/24 with the default gw: 192.168.211.1. As you can see from the config, PIX has route to that network: route inside 192.168.211.0 255.255.255.0 192.168.210.2. And as I have already said, I can see with the PIX capture tool that packets go out from the inside interface towards that ip, and they are coming from that host back, but unfortunately PIX doesn't put them into the IPSec tunnel (counters of the encrypted packets don't increase). And I don't know why?

froggy3132000 Sun, 07/29/2007 - 09:22

As long as the pix can route to it you should have no problem. I have plenty of the exact same configs in place right now.

I would upgrade to 6.3(5) then call the TAC if you are still having issues.

saiiven07 Sun, 07/29/2007 - 10:28

Yeah, I think there's nothing left to do but try to replace the current version 6.3(4) of the PIX OS with a new one (6.3(5)). But I'm wondering if anybody else had problems deploying Remote Access VPN with version 6.3(4) of the PIX OS, or I'm the one who is so lucky.

richardmangu Sun, 07/29/2007 - 23:15

I am using PIX OS 6.3(5). And i am faced with exactly the same problem. Have you found any solution yet.

saiiven07 Mon, 07/30/2007 - 00:36

No. I was hoping that after replacing the software with the version 6.3(5) of the PIX OS everything would be OK, but now I don't know what to do...maybe downgrade the software...Have you tried any other versions of the PIX OS? Which version of the Cisco VPN client do you use?

I have tried versions 5.0.00.0340 and 4.8.01.0300, but the results were the same.

richardmangu Tue, 07/31/2007 - 05:14

I had omitted some lines in config. However using Pix os 6.3(5) and VPN client 3.6.6, the tunnel works well. So just upgrade the os to 6.3(5) and it should work out fine

krishnakomiti Tue, 07/31/2007 - 02:32

Hi,

Pix is statefull firewall, that's why ping will not allow unless and untill if you give permission in pix.If you have configured VPN then try to ping from inside machine, I hope it will work if it is not working please provide the diagram with all IP address.

saiiven07 Tue, 07/31/2007 - 11:51

Finally, I have solved that problem. The problem was that there were two IPSec tunnels on the outside interface - one for L2L VPN and one for Remote VPN Client, but there was only one access-list that was used by both nat (inside) 0 and crypto map for L2L VPN at the same time. So, I guess the PIX just put the packets into the L2L VPN tunnel instead of the Cisco VPN Client tunnel, or simply dropped them because of this misconfiguration.

http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

"Do not use ACLs twice. Even if your NAT Exemption ACL and crypto ACL specify the same traffic, use two different access lists."

Actions

This Discussion