VPN Client to PIX 7.2(4) - NAT in between

Unanswered Question
Jun 11th, 2008
User Badges:

Hi


as I'm not a PIX specialist and have not yet found any enlightening information on the web I ask here:


I have a VPN client that tries to connect to a PIX. In a wireshark trace I see that it changes from ISAKMP to UDP port 4500 which in my opinion occurs when NAT is in between. I do not see any reply from my PIX to the port 4500 messages but only retries on ISAKMP - finally the connection is not established.


Are there any special commands needed to allow port 4500 on the PIX? I have at least "crypto isakmp enable" and "crypto isakmp nat-traversal 20", furthermore there's an access-list on the outside interface (in my opinion this access-list should not be looked at because ISAKMP/4500 ends on the PIX).


Any hint or question is appreciated.

Mat

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
MATTHIAS SCHAERER Thu, 06/12/2008 - 01:01
User Badges:

Anuraj,


I probably have not explained the situation clearly. I am having a client VPN that is configured on the PIX. I do not try to traverse the PIX with tunneled traffic. The Cisco VPN client tries to establish a connection to the PIX itself.

I have seen the document you mentioned before but it does reflect my situation.


Thanks for the input anyway.

Mat

singhsaju Thu, 06/12/2008 - 05:36
User Badges:
  • Silver, 250 points or more

Hi,

Post your config .

Also was this working before ?

MATTHIAS SCHAERER Thu, 06/12/2008 - 05:55
User Badges:

Hi Singhsaju,


I cannot tell you if it ever worked. The only thing I can tell is that the client can connect without modification of his profile when no NAT device is in between. My further investigations focus more and more to the NAT device as the culprit. I know to few about ISAKMP yet to really understand how it should work under normal circumstances but I do some more tracing in that direction.


The crypto config is here, I think it looks pretty straight forward but if you need something more or see anything let me know.


Thanks

Mat



crypto ipsec transform-set CRYTS-AES256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set CRYTS-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set CRYTS-AES256-MD5

crypto dynamic-map outside_dyn_map 20 set transform-set CRYTS-3DES-SHA

crypto map site2site 20 match address CRYACL20

crypto map site2site 20 set peer 20.20.20.20

crypto map site2site 20 set transform-set CRYTS-AES256-MD5

crypto map site2site 30 match address CRYACL30

crypto map site2site 30 set peer 30.30.30.30

crypto map site2site 30 set transform-set CRYTS-AES256-MD5

crypto map site2site 50 ipsec-isakmp dynamic outside_dyn_map

crypto map site2site interface INT-OUTSIDE

crypto ca trustpoint server1

enrollment retry count 3

enrollment url http://172.21.21.21:80/certsrv/mscep/mscep.dll

password *

keypair asdffdsa

crl configure

crypto ca certificate map DefaultCertificateMap 50

subject-name attr o eq asdfasdf

crypto ca certificate chain server1

certificate ca 53e83xxxxxxxxxxxxxxxxxxxxxxbbe24

308204f5 ...

quit

certificate 61cxxxxxxxxx00060

30820566 ...

quit

crypto isakmp enable INT-OUTSIDE

crypto isakmp policy 5

authentication rsa-sig

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 7

authentication rsa-sig

encryption aes-256

hash md5

group 5

lifetime 86400

crypto isakmp policy 10

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 15

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

crypto isakmp ipsec-over-tcp port 2xxxx


singhsaju Thu, 06/12/2008 - 06:23
User Badges:
  • Silver, 250 points or more

Hi Mat,

when NAT device is in between and nat traversal is enabled , ipsec communicates on port udp 4500 instead of (udp 500 and esp) . So also check if the port udp 4500 is not blocked in the path.


Do you know what type of NAT device is in the path ? Does it have ipsec pass through enabled on it ?



Saju

MATTHIAS SCHAERER Thu, 06/12/2008 - 07:48
User Badges:

Hi Saju,


as you say I see the communication on port 4500 reaching my PIX. But with a capture on the PIX I see that no packets on source port 4500 are leaving the PIX. So my assumption is that either the configuration is wrong (which I doubt to a certain degree) or that the NAT device (a Netopia router) sends some information that the PIX is not able to interpret and therefore denies the connection.

I try to capture more data in the PIX to verify what is in the first ISAKMP packets before the communication switches to port 4500.


Thanks again.

Mat

nomair_83 Thu, 06/19/2008 - 04:27
User Badges:
  • Bronze, 100 points or more

Can u plz add some no nat acl on headend and call that in nat command.

Regards,


Actions

This Discussion