VPN client behind Cisco firewalls having problem accessing remote hosts

fmt_cisco · ‎05-15-2008

I'm in charge of two sites (two offices whose LAN are behind two Cisco firewalls respectively). Let's call my firewalls FW1 and FW2. I also have two Wifi routers *outside* the firewalls.

I have to run a VPN client to connect to a remote site (our customer's network) which is also using a Cisco firewall, called FWR. VPN connection can be established without problem. But my problem is when the PC running the VPN client is behind FW1 or FW2, I can't access remote hosts (ie those behind FWR). By that I mean, eg ping to remote hosts has no reply (remote hosts ARE allowed to reply on ping).

However, if the PC is connected to the Wifi routers or through a 56k modem dialup, I can access remote hosts without problem. Here are the technical details.

Site 1:

FW1 = Pix 515E ver 6.3(3)

LAN1 = 10.1.1.0//255.255.255.0

Site 2 :

FW2 = Pix 506E ver 6.3(3)

LAN2 = 172.16.0.0//255.255.0.0

Remote site :

FWR = no idea

VPN Pool = 10.20.23.48//255.255.255.240

At the beginning, I saw that my PC was assigned an IP address with a mask of 255.0.0.0. I thought that might be the cause of the problem since their VPN pool address is 10.0.0.0 and that englobes my LAN1's 10.1.1.0. I told the remote site's admin to force his firewall to assign the mask as 255.255.255.240. Now my PC has got this mask but the problem isn't resolved. I've run out of idea. Could someone shed some light on this matter?

I don't understand why I've no problem when the PC is outside the Cisco firewall but behind a Wifi router. Is there something I could do to my firewalls, FW1 and FW2? Or to do with remote firewall FWR?

acomiskey · ‎05-15-2008

You are able to get this to work on the wifi router because at that point you are not patting on the pix. The remote vpn device needs to have nat-traversal enabled or you need to use a static nat in the pix for the internal vpn client. IPSEC + PAT = nat-t required

fmt_cisco · ‎05-15-2008

Thanks for your reply.

Do you mean I have to ask the remote admin to add the following line?

isakmp nat-traversal 20

I thought this command only concerns site-to-site VPN tunnel. Well, my bad...

But I don't quite understand the technical reason you've given. You said I'm "not patting on the pix", but I suppose my Wifi routers are also doing PAT. Isn't it the same case here?

I can't do static NAT because on one hand several PC are allowed to connect to the remote site, and on the other hand, I don't have enough public IP address for the assignment.

acomiskey · ‎05-15-2008

Yes, depending on what the device is and version #. Could also be "crypto isakmp nat-traversal".

Your wifi routers are probably doing ipsec passthru.

fmt_cisco · ‎05-15-2008

Oh yes! You're correct. My Wifi is a Linksys WRT54GC and it's got the IPSec Passthrough!

Now I need to ask the remote admin to give me his firewall's model and version.

fmt_cisco · ‎05-15-2008

Oh, I'm wondering if there exists a command to have the same effect as this "IPsec passthrough" in the PIX? So I don't need to ask every remote admin in case they forgot to enable their Nat transversal on their side.