VPN client behind PIX

Answered Question
Apr 2nd, 2008

I have a problem with a vpn client sitting inside a PIX 525 7.2(2). I can connect to the destination concentrator but cannot ping any resources (tested and works fine through little ADSL SOHO kit). After searching here, I added isakmp nat-traversal 20 to the config plus a NAT exemption. I now see clean UDP and TCP traffic in the syslog for this host but I still no replies.....Any help much appreciated as I'm losing hair on this one......

Correct Answer by husycisco about 8 years 10 months ago

"The key here is to look at the configuration

on the VPN concentrator. You need to setup

NAT-T on the VPN concentrator, as follow:

Configuration | Tunneling and Security | IPSec | NAT Transparency

There is a check box for "IPSec over NAT-T".

Check that box and it will work.

"

Thats correct. I understood just the opposite at my first fast look at the question, thats why I rejected to not to NAT-T at PIX side.

"Cisco VPN client does not use PPTP protocol"

Thats correct too, but I didnt see any statement about Cisco VPN client, thats why I suggested it. But if I recall correct, client shouldnt have been able to establish connection if it was a PPTP client, without the fixup protocol I mention. So most probably it is Cisco VPN client.

Setting NAT-T at concentrator will resolve the issue as you mentioned.

Brian, if still no joy after setting NAT-T in concentrator, we need the config of concentrator.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cisco24x7 Wed, 04/02/2008 - 07:30

You need to enable NAT-T on the VPN concentrator. You do not need NAT-T on

the Pix.

husycisco Wed, 04/02/2008 - 07:36

You are right m8, I misunderstood the issue :)

Brian, issue the following command in PIX config

fixup protocol pptp 1723

Regards

cisco24x7 Wed, 04/02/2008 - 08:10

Cisco VPN client does not use PPTP protocol.

I do not think you need that.

The key here is to look at the configuration

on the VPN concentrator. You need to setup

NAT-T on the VPN concentrator, as follow:

Configuration | Tunneling and Security | IPSec | NAT Transparency

There is a check box for "IPSec over NAT-T".

Check that box and it will work.

Correct Answer
husycisco Wed, 04/02/2008 - 08:36

"The key here is to look at the configuration

on the VPN concentrator. You need to setup

NAT-T on the VPN concentrator, as follow:

Configuration | Tunneling and Security | IPSec | NAT Transparency

There is a check box for "IPSec over NAT-T".

Check that box and it will work.

"

Thats correct. I understood just the opposite at my first fast look at the question, thats why I rejected to not to NAT-T at PIX side.

"Cisco VPN client does not use PPTP protocol"

Thats correct too, but I didnt see any statement about Cisco VPN client, thats why I suggested it. But if I recall correct, client shouldnt have been able to establish connection if it was a PPTP client, without the fixup protocol I mention. So most probably it is Cisco VPN client.

Setting NAT-T at concentrator will resolve the issue as you mentioned.

Brian, if still no joy after setting NAT-T in concentrator, we need the config of concentrator.

molebrian Thu, 04/03/2008 - 02:18

Thanks folks, I've asked the other side but there is change control to get through before I can test.......I'll keep this updated.

Actions

This Discussion