Problem with VPN behind the NAT

Unanswered Question
Jul 8th, 2008
User Badges:

I have this scheme

Bat I have a problem: VPN is not rising up from router which behind the NAT, and rising up from another site. Can anybody help me to resolve this problem?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.alekseev Tue, 07/08/2008 - 03:46
User Badges:
  • Gold, 750 points or more

Do you have any vpn on the PIX also?

p.bryliov Tue, 07/08/2008 - 04:21
User Badges:

Yes I have active vpn tunnels on my PIX. How it can influence to my scheme?

a.alekseev Tue, 07/08/2008 - 04:45
User Badges:
  • Gold, 750 points or more

What PIX version do you have?

p.bryliov Tue, 07/08/2008 - 18:47
User Badges:

PIX 515E

Cisco PIX Security Appliance Software Version 7.0(1)

a.alekseev Tue, 07/08/2008 - 03:48
User Badges:
  • Gold, 750 points or more

debug crypto ipsec

debug crypto isakmp

no access-list 120

access-list 120 permit ip host host

no ip access-list extended VPN

ip access-list extended VPN

permit ip host host

p.bryliov Tue, 07/08/2008 - 04:45
User Badges:

I have attached debug without deleting access-list. After deleting access-list on c2811 vpn tunnel rised up. Bat atfter I reload c871 and vpn again not rising up from c2811

a.alekseev Tue, 07/08/2008 - 04:52
User Badges:
  • Gold, 750 points or more

so... Was it working?

try to add on both sides

ctypto isakmp keepalive 10

crypto isakmp invalid-spi-recovery

after that do

clear crypto sa

clear crypto isa sa

p.bryliov Wed, 07/09/2008 - 00:05
User Badges:

Yes I have read this guid and this confuse me

If an IKE SA is being initiated to notify an IPSec peer of an "Invalid SPI" error, there is the risk that a denial-of-service (DoS) attack can occur. The feature has a built-in mechanism to minimize such a risk, but because there is a risk, the feature is not enabled by default. You must enable the command using command-line interface (CLI).

Can vpn work without crypto isakmp invalid-spi-recovery? I think c871 don't detect NAT


This Discussion