06-11-2008 08:17 AM - edited 02-21-2020 03:46 PM
Hi
as I'm not a PIX specialist and have not yet found any enlightening information on the web I ask here:
I have a VPN client that tries to connect to a PIX. In a wireshark trace I see that it changes from ISAKMP to UDP port 4500 which in my opinion occurs when NAT is in between. I do not see any reply from my PIX to the port 4500 messages but only retries on ISAKMP - finally the connection is not established.
Are there any special commands needed to allow port 4500 on the PIX? I have at least "crypto isakmp enable" and "crypto isakmp nat-traversal 20", furthermore there's an access-list on the outside interface (in my opinion this access-list should not be looked at because ISAKMP/4500 ends on the PIX).
Any hint or question is appreciated.
Mat
06-11-2008 10:46 AM
Hi Mat,
It seems like you are trying to configure a vpn passthrough.
Check the following link,Hope it will help you.
Regards,
Anuraj Bhadana
06-12-2008 01:01 AM
Anuraj,
I probably have not explained the situation clearly. I am having a client VPN that is configured on the PIX. I do not try to traverse the PIX with tunneled traffic. The Cisco VPN client tries to establish a connection to the PIX itself.
I have seen the document you mentioned before but it does reflect my situation.
Thanks for the input anyway.
Mat
06-12-2008 05:36 AM
Hi,
Post your config .
Also was this working before ?
06-12-2008 05:55 AM
Hi Singhsaju,
I cannot tell you if it ever worked. The only thing I can tell is that the client can connect without modification of his profile when no NAT device is in between. My further investigations focus more and more to the NAT device as the culprit. I know to few about ISAKMP yet to really understand how it should work under normal circumstances but I do some more tracing in that direction.
The crypto config is here, I think it looks pretty straight forward but if you need something more or see anything let me know.
Thanks
Mat
crypto ipsec transform-set CRYTS-AES256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set CRYTS-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set CRYTS-AES256-MD5
crypto dynamic-map outside_dyn_map 20 set transform-set CRYTS-3DES-SHA
crypto map site2site 20 match address CRYACL20
crypto map site2site 20 set peer 20.20.20.20
crypto map site2site 20 set transform-set CRYTS-AES256-MD5
crypto map site2site 30 match address CRYACL30
crypto map site2site 30 set peer 30.30.30.30
crypto map site2site 30 set transform-set CRYTS-AES256-MD5
crypto map site2site 50 ipsec-isakmp dynamic outside_dyn_map
crypto map site2site interface INT-OUTSIDE
crypto ca trustpoint server1
enrollment retry count 3
enrollment url http://172.21.21.21:80/certsrv/mscep/mscep.dll
password *
keypair asdffdsa
crl configure
crypto ca certificate map DefaultCertificateMap 50
subject-name attr o eq asdfasdf
crypto ca certificate chain server1
certificate ca 53e83xxxxxxxxxxxxxxxxxxxxxxbbe24
308204f5 ...
quit
certificate 61cxxxxxxxxx00060
30820566 ...
quit
crypto isakmp enable INT-OUTSIDE
crypto isakmp policy 5
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 7
authentication rsa-sig
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 2xxxx
06-12-2008 06:23 AM
Hi Mat,
when NAT device is in between and nat traversal is enabled , ipsec communicates on port udp 4500 instead of (udp 500 and esp) . So also check if the port udp 4500 is not blocked in the path.
Do you know what type of NAT device is in the path ? Does it have ipsec pass through enabled on it ?
Saju
06-12-2008 07:48 AM
Hi Saju,
as you say I see the communication on port 4500 reaching my PIX. But with a capture on the PIX I see that no packets on source port 4500 are leaving the PIX. So my assumption is that either the configuration is wrong (which I doubt to a certain degree) or that the NAT device (a Netopia router) sends some information that the PIX is not able to interpret and therefore denies the connection.
I try to capture more data in the PIX to verify what is in the first ISAKMP packets before the communication switches to port 4500.
Thanks again.
Mat
06-19-2008 04:27 AM
Can u plz add some no nat acl on headend and call that in nat command.
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: