Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
0
Helpful
2
Replies

VPN Client 3.0, NAT Transparency and PIX Firewall 6.01

s.vidanovic
Level 1
Level 1

‎07-30-2001 02:19 AM - edited ‎02-21-2020 11:23 AM

Does VPN Client 3.x (unified framework) support NAT transparency? If not, is there a plan to support this feature? Is there any VPN client with NAT transparency feature compatible with PIX 6.0?

Problem: I'm siting behind corporate firewall with VPN Client 3.x, when I go outside, I'm PAT-ed, and I want to connect to remote PIX to establish VPN tunnel. When I'm connected directly to remote router (next hop is PIX), everything is OK, when I try the same thing behind firewall, I receive error:

1 11:16:56.272 07/30/01 Sev=Warning/2 IKE/0xE3000079

Exceeded 3 IKE SA negotiation retransmits... peer is not responding

2 11:16:56.322 07/30/01 Sev=Warning/3 DIALER/0xE3300015

GI VPN start callback failed "CM_PEER_NOT_RESPONDING" (16h).

Labels:
0 Helpful
2 Replies 2

johncharris
Level 1
Level 1

‎08-02-2001 12:21 PM

I am currently performing the same function through a PIX 506 firewall connected to a cable modem using PAT. You must select within the VPN 3.0 client properties "Allow IPSEC through NAT mode". The most common application for IPSec through NAT mode is behind a home router performing PAT. Using this feature encapsulates Protocol 50 (ESP) traffic within UDP packets that the home router/firewall forwards to their destination. The VPN Client also sends keepalives frequently, ensuring that the mappings on the router/firewall are kept active. However using this method requires port 10000 UDP (default) to be permitted outbound through the firewall.

0 Helpful

shabib.syed
Level 1
Level 1
In response to johncharris

‎08-02-2001 12:37 PM

Well I heard that Cisco does not support this feature yet. I have my clients connecting through there home router or dsl and few of them are using PAT. And all select that option "Allow IPSEC through NAT mode". But still there are unable to do so. Now if you can help me with this port 10000 UDP port to be permitted outbound through the firewall ( i am assuming this port access will be on my PIX where the clients are terminating.) Can you tell me exactly wat addresses i have to permit to go out. Is it the virtual ip address that my VPN clients get or everything. I m not sure i got how will this be done...allowing that port 10000 UDP. i will appreciate that.

0 Helpful
Customers Also Viewed These Support Documents