04-02-2008 06:59 AM - edited 03-11-2019 05:26 AM
I have a problem with a vpn client sitting inside a PIX 525 7.2(2). I can connect to the destination concentrator but cannot ping any resources (tested and works fine through little ADSL SOHO kit). After searching here, I added isakmp nat-traversal 20 to the config plus a NAT exemption. I now see clean UDP and TCP traffic in the syslog for this host but I still no replies.....Any help much appreciated as I'm losing hair on this one......
Solved! Go to Solution.
04-02-2008 08:36 AM
"The key here is to look at the configuration
on the VPN concentrator. You need to setup
NAT-T on the VPN concentrator, as follow:
Configuration | Tunneling and Security | IPSec | NAT Transparency
There is a check box for "IPSec over NAT-T".
Check that box and it will work.
"
Thats correct. I understood just the opposite at my first fast look at the question, thats why I rejected to not to NAT-T at PIX side.
"Cisco VPN client does not use PPTP protocol"
Thats correct too, but I didnt see any statement about Cisco VPN client, thats why I suggested it. But if I recall correct, client shouldnt have been able to establish connection if it was a PPTP client, without the fixup protocol I mention. So most probably it is Cisco VPN client.
Setting NAT-T at concentrator will resolve the issue as you mentioned.
Brian, if still no joy after setting NAT-T in concentrator, we need the config of concentrator.
04-02-2008 07:19 AM
Hi Brian,
Please attach your sanitized config
Regards
04-02-2008 07:27 AM
Hi Brian,
Please attach your sanitized config
Regards
04-02-2008 07:30 AM
You need to enable NAT-T on the VPN concentrator. You do not need NAT-T on
the Pix.
04-02-2008 07:33 AM
Edited... Misunderstood the issue
04-02-2008 07:34 AM
It is working for me as we speak.
04-02-2008 07:36 AM
You are right m8, I misunderstood the issue :)
Brian, issue the following command in PIX config
fixup protocol pptp 1723
Regards
04-02-2008 08:10 AM
Cisco VPN client does not use PPTP protocol.
I do not think you need that.
The key here is to look at the configuration
on the VPN concentrator. You need to setup
NAT-T on the VPN concentrator, as follow:
Configuration | Tunneling and Security | IPSec | NAT Transparency
There is a check box for "IPSec over NAT-T".
Check that box and it will work.
04-02-2008 08:36 AM
"The key here is to look at the configuration
on the VPN concentrator. You need to setup
NAT-T on the VPN concentrator, as follow:
Configuration | Tunneling and Security | IPSec | NAT Transparency
There is a check box for "IPSec over NAT-T".
Check that box and it will work.
"
Thats correct. I understood just the opposite at my first fast look at the question, thats why I rejected to not to NAT-T at PIX side.
"Cisco VPN client does not use PPTP protocol"
Thats correct too, but I didnt see any statement about Cisco VPN client, thats why I suggested it. But if I recall correct, client shouldnt have been able to establish connection if it was a PPTP client, without the fixup protocol I mention. So most probably it is Cisco VPN client.
Setting NAT-T at concentrator will resolve the issue as you mentioned.
Brian, if still no joy after setting NAT-T in concentrator, we need the config of concentrator.
04-03-2008 02:18 AM
Thanks folks, I've asked the other side but there is change control to get through before I can test.......I'll keep this updated.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: