Solved: Can't connect to vpn

Lharrypersaud · ‎09-14-2005

My client (network A) has a remote access vpn setup on a pix firewall. I can connect to this vpn by launching the cisco vpnclient from anywhere on the internet and it works fine but when i try to connect from inside my network (network B) i can't connect. I have a pix firewall running inside my network. If i bypass the firewall i can connect just fine. I even added this command to my pix sysopt connection permit-ipsec and it still does not work. Can someone please tell me if i am missing something?

Thanks,

Lake

jackko · ‎09-16-2005

it's true that the command is not available with v6.2. good luck.

View solution in original post

jackko · ‎09-14-2005

is it a pptp vpn or ipsec vpn?

with pptp, you'll need to apply this command on the local pix

fixup protocol pptp 1723

with ipsec, you mentioned you can't connect. do you mean the vpn client wouldn't connect? or the vpn client connected and you can't access any resources? if the vpn client connected and you can't access anything, then you'll need to apply this command on the remote pix

isakmp nat-traversal

sbianchi · ‎09-15-2005

Hi Lake,

is your client fw enable the nat traversal ipsec (ipsec over udp) ?

As ipsec don't support nat/pat (that may your fw do) of client without support of the ipsec over udp on the end side of vpn.

i hope it help

bye

Lharrypersaud · ‎09-15-2005

It is ipsec vpn. When i launch the vpn client it says "contacting security gateway at x.x.x.x" (which is the pix at the other end, not the pix inside my network) Then the client stops with this error message "secure vpn connection terminated locally by the client. reason 412: The remote peer is no longer reponding. At the bottom of the status bar it says "not connected". I enabled this command "isakmp nat-traversal, on my pix where the vpn client is located. Is there any more commands i need to enter on either pix? Both offices do have remote access vpn working fine. It's just that i can't go through both pix when using remote access vpn. Thanks a lot for the posts guys but i hope someone can help me with this.

Thanks Again,

Lake

jackko · ‎09-15-2005

is there any inbound/outbound acl on networkb pix? if so, would you post it?

Lharrypersaud · ‎09-15-2005

I am not at the office right now but i can post the access list when i get there if you still need it. As far as i know i don't think there is any access list blocking the vpn connection. I even tried to simulate this using another pix with no access list and i come up with the same result but i didn't add the isakmp nat-traversal. I don't know if i need to create any access list? Maybe you can help me with this. I added the isakmp nat-traversal to the pix on network B. That's all i have done beside configuring the pix for remote access on network A. I think i am still missing something more to make this work but i don't know what it is. I am also running version 634 on the pix at network B. I am wondering if i need to add isakmp nat-traversal on the pix at network A. I have been working on this for a few months now and i am getting very frustrated and so is my boss. I hope someone can help me.

Thanks

Lake

jackko · ‎09-15-2005

isakmp nat-traversal is a must on networka pix, not networkb pix.

Lharrypersaud · ‎09-16-2005

Hi Jakko

I tried the command isakmp nat-traversal on the pix at network A and it dosn't like it. It is a pix 501 running version 622. I think that command is not supported in that version of the pix os because the new version of the pix os takes it fine. I am hoping to go there tomorrow and upgrade the pix 501 to 634 and then add the command. I will keep you posted as to how it's going. Thanks a lot for all your help.

Lake

jackko · ‎09-16-2005

it's true that the command is not available with v6.2. good luck.

Lharrypersaud · ‎09-20-2005

hi Jakko,

I upgraded the pix to 634 and i added isakmp nat-traversal and it worked like a charm. Thanks a lot for all the help. I appreciate that.

Regards,

Lake