VPN client behind Cisco firewalls having problem accessing remote hosts

Unanswered Question
May 15th, 2008
User Badges:

I'm in charge of two sites (two offices whose LAN are behind two Cisco firewalls respectively). Let's call my firewalls FW1 and FW2. I also have two Wifi routers *outside* the firewalls.

I have to run a VPN client to connect to a remote site (our customer's network) which is also using a Cisco firewall, called FWR. VPN connection can be established without problem. But my problem is when the PC running the VPN client is behind FW1 or FW2, I can't access remote hosts (ie those behind FWR). By that I mean, eg ping to remote hosts has no reply (remote hosts ARE allowed to reply on ping).

However, if the PC is connected to the Wifi routers or through a 56k modem dialup, I can access remote hosts without problem. Here are the technical details.

Site 1:

FW1 = Pix 515E ver 6.3(3)

LAN1 =

Site 2 :

FW2 = Pix 506E ver 6.3(3)

LAN2 =

Remote site :

FWR = no idea

VPN Pool =

At the beginning, I saw that my PC was assigned an IP address with a mask of I thought that might be the cause of the problem since their VPN pool address is and that englobes my LAN1's I told the remote site's admin to force his firewall to assign the mask as Now my PC has got this mask but the problem isn't resolved. I've run out of idea. Could someone shed some light on this matter?

I don't understand why I've no problem when the PC is outside the Cisco firewall but behind a Wifi router. Is there something I could do to my firewalls, FW1 and FW2? Or to do with remote firewall FWR?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
acomiskey Thu, 05/15/2008 - 10:44
User Badges:
  • Green, 3000 points or more

You are able to get this to work on the wifi router because at that point you are not patting on the pix. The remote vpn device needs to have nat-traversal enabled or you need to use a static nat in the pix for the internal vpn client. IPSEC + PAT = nat-t required

fmt_cisco Thu, 05/15/2008 - 11:03
User Badges:

Thanks for your reply.

Do you mean I have to ask the remote admin to add the following line?

isakmp nat-traversal 20

I thought this command only concerns site-to-site VPN tunnel. Well, my bad...

But I don't quite understand the technical reason you've given. You said I'm "not patting on the pix", but I suppose my Wifi routers are also doing PAT. Isn't it the same case here?

I can't do static NAT because on one hand several PC are allowed to connect to the remote site, and on the other hand, I don't have enough public IP address for the assignment.

acomiskey Thu, 05/15/2008 - 11:21
User Badges:
  • Green, 3000 points or more

Yes, depending on what the device is and version #. Could also be "crypto isakmp nat-traversal".

Your wifi routers are probably doing ipsec passthru.

fmt_cisco Thu, 05/15/2008 - 11:36
User Badges:

Oh yes! You're correct. My Wifi is a Linksys WRT54GC and it's got the IPSec Passthrough!

Now I need to ask the remote admin to give me his firewall's model and version.

fmt_cisco Thu, 05/15/2008 - 11:57
User Badges:

Oh, I'm wondering if there exists a command to have the same effect as this "IPsec passthrough" in the PIX? So I don't need to ask every remote admin in case they forgot to enable their Nat transversal on their side.


This Discussion