07-28-2007 08:33 AM - edited 02-21-2020 03:11 PM
Hi, all
I have a problem deploying Remote Access VPN between PIX (PIX OS 6.3(4)) and Cisco VPN Client 5.0.00.0340.
The current situation is I have IPSec tunnel established, I can see with the capture tool that ICMP Echo packets are coming from Remote VPN Client through the IPSec tunnel to PIX, next PIX forwards them into the inside interface towards the destination host. Then I see ICMP Echo Reply packets returning from the destination host, and the last thing that PIX has to do is forward the ICMP Echo Reply pakets into the tunnel towars the Remote VPN Client, but PIX doesn't do this.
I think I have all the stuff configured properly:
1) I have nat (inside) 0 statement to avoid Network Address Translation (NAT) on the IPSec packets.
2) I have sysopt connection permit-ipsec.
3) I have isakmp nat-traversal 20 statement.
3) I don't have any access lists to filter traffic on the inside interface.
So, to me, it looks like a bug. I have looked through the bug tool on cisco.com, but I haven't found any similar bugs. Maybe somebody has already faced with a similar problem or knows how to fix that problem, any help would be greatly appreciated.
Thanks in advance.
07-28-2007 01:20 PM
post the relevant part of you config
07-29-2007 01:14 AM
I attached the relevant part of the config.
07-29-2007 04:50 AM
what is the IP of the host and what is its default gw?
07-29-2007 05:34 AM
Hi,
The ip address of the host that I'm trying to ping is 192.168.211.9/24 with the default gw: 192.168.211.1. As you can see from the config, PIX has route to that network: route inside 192.168.211.0 255.255.255.0 192.168.210.2. And as I have already said, I can see with the PIX capture tool that packets go out from the inside interface towards that ip, and they are coming from that host back, but unfortunately PIX doesn't put them into the IPSec tunnel (counters of the encrypted packets don't increase). And I don't know why?
07-29-2007 09:22 AM
As long as the pix can route to it you should have no problem. I have plenty of the exact same configs in place right now.
I would upgrade to 6.3(5) then call the TAC if you are still having issues.
07-29-2007 10:28 AM
Yeah, I think there's nothing left to do but try to replace the current version 6.3(4) of the PIX OS with a new one (6.3(5)). But I'm wondering if anybody else had problems deploying Remote Access VPN with version 6.3(4) of the PIX OS, or I'm the one who is so lucky.
07-29-2007 11:15 PM
I am using PIX OS 6.3(5). And i am faced with exactly the same problem. Have you found any solution yet.
07-30-2007 12:36 AM
No. I was hoping that after replacing the software with the version 6.3(5) of the PIX OS everything would be OK, but now I don't know what to do...maybe downgrade the software...Have you tried any other versions of the PIX OS? Which version of the Cisco VPN client do you use?
I have tried versions 5.0.00.0340 and 4.8.01.0300, but the results were the same.
07-31-2007 05:14 AM
I had omitted some lines in config. However using Pix os 6.3(5) and VPN client 3.6.6, the tunnel works well. So just upgrade the os to 6.3(5) and it should work out fine
07-31-2007 02:32 AM
Hi,
Pix is statefull firewall, that's why ping will not allow unless and untill if you give permission in pix.If you have configured VPN then try to ping from inside machine, I hope it will work if it is not working please provide the diagram with all IP address.
07-31-2007 11:51 AM
Finally, I have solved that problem. The problem was that there were two IPSec tunnels on the outside interface - one for L2L VPN and one for Remote VPN Client, but there was only one access-list that was used by both nat (inside) 0 and crypto map for L2L VPN at the same time. So, I guess the PIX just put the packets into the L2L VPN tunnel instead of the Cisco VPN Client tunnel, or simply dropped them because of this misconfiguration.
http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
"Do not use ACLs twice. Even if your NAT Exemption ACL and crypto ACL specify the same traffic, use two different access lists."
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: