Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't ping remote side in vpn tunnel through a pix 501

Hello All,

I have a pix 501 v 6.3(5), connected to my dsl router. When i connect my Netgear "Safenet" vpn client to my endpoint (Dlink 808HV) I can't ping anything on the other side. i have vpn passthru enables for IPSEC & L2TP. When I disconnect the pix from the dsl router, and connect the dsl router to my pc then connect the vpn client all is well. All other PIX functions work fine. I have internet accsess thru it, I have an VPN end point setup on it that I can connect to with the netgear vpn client. It just seems to be giving me grief when trying to do something as simple as passing IPSEC thru it to a vpn endpoint.

Attached is a clean ver of my config

Any ideas / critiques are appreciated.

6 REPLIES
jim
New Member

Re: Can't ping remote side in vpn tunnel through a pix 501

I didnt think you could ping the inside address through a tunnel unless you sourced it outide the other end and back..

--

Sorry i read this wrong the first time. Im looking at your config now

jim
New Member

Re: Can't ping remote side in vpn tunnel through a pix 501

We ran into the same issue with the nortel VPN client behind a 506 pix at a remote office site. What we saw on sniffer traces is the gre packets were not able to come back through the pix even with the fixup command turned on.

Sorry I dont have a answer to this question as we didnt find one either.

New Member

Re: Can't ping remote side in vpn tunnel through a pix 501

Thanks for your time I posted additional information from a syslog that i looked at it seem once I connect, and try to ping the remote side I get this in my syslog

12-14-2006 09:14:07 Local4.Error 192.168.2.1 Dec 14 2006 09:14:07: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

12-14-2006 09:14:06 Local4.Error 192.168.2.1 Dec 14 2006 09:14:06: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

12-14-2006 09:14:05 Local4.Error 192.168.2.1 Dec 14 2006 09:14:05: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

12-14-2006 09:14:04 Local4.Error 192.168.2.1 Dec 14 2006 09:14:04: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

Can you enlighten me on what his message means?

Thanks for any ideas.

Re: Can't ping remote side in vpn tunnel through a pix 501

Hi this is because your client is using a private IP address which will be NATed out using the Public IP address allocated to your PIX by your service provider. Basically Ipsec conflicts with NAT and here is where a feature known as NAT-Traversal comes in place .. basically you need to find out whether the safnet client supports NAT-traversal and teh you need to open the respective ports on both directions on your PIX. For exmaple Cisco VPN client uses UDP 4500 for NAT-traversal and so opening this port in both directions will allow an inside host to connect to a public VPN server using teh Cisco VPN client.

NOTE: you might also need to open UDP 500 in both ways for the first stage of the tunnel creation

I hope it helps .. please rate if it if it does !!!..

New Member

Re: Can't ping remote side in vpn tunnel through a pix 501

Thanks for you time & thoughts. The Netgear "SafeNet" SoftRemote client does support NAT-T. The DLINK 808HV vpn endpoint supports NAT-T. I will have to find out what ports are used. I do get the Netgear client to connect to the DLINK 808HV thru the PIX. I just can't ping any device on the remote side. Additionally I have discovered in my syslog files that when I connect, and try to ping I get the message

12-14-2006 09:14:07 Local4.Error 192.168.2.1 Dec 14 2006 09:14:07: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.198.142.92

12-14-2006 09:14:06 Local4.Error 192.168.2.1 Dec 14 2006 09:14:06: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

12-14-2006 09:14:05 Local4.Error 192.168.2.1 Dec 14 2006 09:14:05: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

12-14-2006 09:14:04 Local4.Error 192.168.2.1 Dec 14 2006 09:14:04: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

Can you enlighten me on what this error means?

Thanks for you assitance.

New Member

Re: Can't ping remote side in vpn tunnel through a pix 501

My apologies guys, my mind is warping the syslog error message internal ip address is 192.169.2.? not 192.168.2.?

I know this is an incorrect ip for an internal natted lan, I am changing soon.

Thanks

745
Views
0
Helpful
6
Replies
CreatePlease login to create content