×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

nat traversal broken after upgrade to 7.04

Answered Question
Feb 6th, 2006
User Badges:
  • Gold, 750 points or more

We had nat traversal working just fine on our PIX

515E bundle running ver 6.3.4

Allowing ah, esp, iskmp, udp port 500 in.

nat traversal enabled. sysopt permit-ipsec.


users behind the pix can estrablish vpn connections, but traffic does not pass. users can establish vpn & pass traffic just fine when they are in front of the pix. The users connect to various vpn devices that we have no control or access to

Correct Answer by mpalardy about 11 years 6 months ago

Hey Eric,


If I understand, the error occurs only for users behind your pix since an upgrade to 704?

Check if the following statements are present in your pix config:

isakmp nat-traversal 20

isakmp ipsec-over-tcp port 10000

isakmp enable outside


Also the error may occur because of some missing access-list for users behind the pix.


HTH

Mike


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mpalardy Mon, 02/06/2006 - 12:40
User Badges:
  • Bronze, 100 points or more

Hey Eric,


If I understand, the error occurs only for users behind your pix since an upgrade to 704?

Check if the following statements are present in your pix config:

isakmp nat-traversal 20

isakmp ipsec-over-tcp port 10000

isakmp enable outside


Also the error may occur because of some missing access-list for users behind the pix.


HTH

Mike


ericgarnel Mon, 02/06/2006 - 15:38
User Badges:
  • Gold, 750 points or more

Thanks,


I didn't have the last two lines:

isakmp ipsec-over-tcp port 10000

isakmp enable outside


I'll try it when I get back to work in the am

ericgarnel Tue, 02/07/2006 - 06:36
User Badges:
  • Gold, 750 points or more

the isakmp enable outside did the trick

had the nat-traversal in there already

and we are using the udp transport

Actions

This Discussion