PIX501 at Home

Unanswered Question

I have cisco vpn client loaded onto my laptop which allows me to connect to my office LAN from any location. This works fine and enalbes me to access Exchange server and other LAN resources. However, if I try to connect from home to my office LAN using the vpn client I have problems. The vpn client connects ok and authenticates but I cannot access Exchange server or any other resources. Ping does not work either. At home I have a PIX501 connected to a cable modem. Internet access from home LAN works fine. Any help greatly received.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
viper1284 Wed, 11/28/2007 - 17:14
User Badges:

I would check your ACLs on your PIX. Do you have split tunnel configured? Sounds like an issue with the splitTunnel ACLs.

Patrick Iseli Wed, 11/28/2007 - 18:08
User Badges:
  • Gold, 750 points or more

2.) Try : fixup protocol esp-ike on the home PIX 501.

2.) Could be a NAT Traversal issue.

Note that NAT Traversal is configured on the VPN Server not at home.

isakmp nat-traversal 20

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.

See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312



vantipov Thu, 11/29/2007 - 04:18
User Badges:

I have exactly the same problem with my pix501. fixup esp-ike is on. nat traversal is on my pix, I will check to see if it is on the company's ASA. But, the interesting thing is - I also have Motorola router/firewall at home where I can just put a check mark in IPSEC VPN passthrough and same PC with Cisco VPN client works fine: terminates the VPN tunnel and I can ping and access everything on company LAN. PIX501 is on 6.3(5).

vantipov Thu, 11/29/2007 - 04:40
User Badges:

I just modified my Cisco VPN client to use IPSEC over UDP and now everything is working.

andyjames Thu, 11/29/2007 - 05:23
User Badges:


Can you post the contents of the log window from the VPN client?

If the client connects fully and transmits traffic across the tunnel but no traffic flows back from the far end of the tunnel then it would be a config problem at the remote end.

Check the status, statistics window, that will show if traffic is flowing in both directions.


andyjames Thu, 11/29/2007 - 06:11
User Badges:


In that case it could be the PIX blocking the return traffic. Do you have any inspection groups set on the PIX?

If you do not already have the following commands can you add them please and then try again.

same-security-traffic permit inter-interface

sysopt connection permit-ipsec

They will allow inter-interface traffic and mark all ipsec traffic as trusted. This allows it to bypass any access-lists and be dealt with by the crypto engine. If it doesn't match it is dropped.



This Discussion