Solved: VPN client behind PIX

molebrian · ‎04-02-2008

I have a problem with a vpn client sitting inside a PIX 525 7.2(2). I can connect to the destination concentrator but cannot ping any resources (tested and works fine through little ADSL SOHO kit). After searching here, I added isakmp nat-traversal 20 to the config plus a NAT exemption. I now see clean UDP and TCP traffic in the syslog for this host but I still no replies.....Any help much appreciated as I'm losing hair on this one......

husycisco · ‎04-02-2008

"The key here is to look at the configuration

on the VPN concentrator. You need to setup

NAT-T on the VPN concentrator, as follow:

Configuration | Tunneling and Security | IPSec | NAT Transparency

There is a check box for "IPSec over NAT-T".

Check that box and it will work.

"

Thats correct. I understood just the opposite at my first fast look at the question, thats why I rejected to not to NAT-T at PIX side.

"Cisco VPN client does not use PPTP protocol"

Thats correct too, but I didnt see any statement about Cisco VPN client, thats why I suggested it. But if I recall correct, client shouldnt have been able to establish connection if it was a PPTP client, without the fixup protocol I mention. So most probably it is Cisco VPN client.

Setting NAT-T at concentrator will resolve the issue as you mentioned.

Brian, if still no joy after setting NAT-T in concentrator, we need the config of concentrator.

View solution in original post

husycisco · ‎04-02-2008

Hi Brian,

Please attach your sanitized config

Regards

husycisco · ‎04-02-2008

Hi Brian,

Please attach your sanitized config

Regards

cisco24x7 · ‎04-02-2008

You need to enable NAT-T on the VPN concentrator. You do not need NAT-T on

the Pix.

husycisco · ‎04-02-2008

Edited... Misunderstood the issue

cisco24x7 · ‎04-02-2008

It is working for me as we speak.

husycisco · ‎04-02-2008

You are right m8, I misunderstood the issue :)

Brian, issue the following command in PIX config

fixup protocol pptp 1723

Regards

cisco24x7 · ‎04-02-2008

Cisco VPN client does not use PPTP protocol.

I do not think you need that.

The key here is to look at the configuration

on the VPN concentrator. You need to setup

NAT-T on the VPN concentrator, as follow:

Configuration | Tunneling and Security | IPSec | NAT Transparency

There is a check box for "IPSec over NAT-T".

Check that box and it will work.

husycisco · ‎04-02-2008

"The key here is to look at the configuration

on the VPN concentrator. You need to setup

NAT-T on the VPN concentrator, as follow:

Configuration | Tunneling and Security | IPSec | NAT Transparency

There is a check box for "IPSec over NAT-T".

Check that box and it will work.

"

Thats correct. I understood just the opposite at my first fast look at the question, thats why I rejected to not to NAT-T at PIX side.

"Cisco VPN client does not use PPTP protocol"

Thats correct too, but I didnt see any statement about Cisco VPN client, thats why I suggested it. But if I recall correct, client shouldnt have been able to establish connection if it was a PPTP client, without the fixup protocol I mention. So most probably it is Cisco VPN client.

Setting NAT-T at concentrator will resolve the issue as you mentioned.

Brian, if still no joy after setting NAT-T in concentrator, we need the config of concentrator.

molebrian · ‎04-03-2008

Thanks folks, I've asked the other side but there is change control to get through before I can test.......I'll keep this updated.