Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX501 at Home

I have cisco vpn client loaded onto my laptop which allows me to connect to my office LAN from any location. This works fine and enalbes me to access Exchange server and other LAN resources. However, if I try to connect from home to my office LAN using the vpn client I have problems. The vpn client connects ok and authenticates but I cannot access Exchange server or any other resources. Ping does not work either. At home I have a PIX501 connected to a cable modem. Internet access from home LAN works fine. Any help greatly received.

10 REPLIES
New Member

Re: PIX501 at Home

I would check your ACLs on your PIX. Do you have split tunnel configured? Sounds like an issue with the splitTunnel ACLs.

Re: PIX501 at Home

2.) Try : fixup protocol esp-ike on the home PIX 501.

2.) Could be a NAT Traversal issue.

Note that NAT Traversal is configured on the VPN Server not at home.

isakmp nat-traversal 20

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.

See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

sincerely

Patrick

New Member

Re: PIX501 at Home

I have exactly the same problem with my pix501. fixup esp-ike is on. nat traversal is on my pix, I will check to see if it is on the company's ASA. But, the interesting thing is - I also have Motorola router/firewall at home where I can just put a check mark in IPSEC VPN passthrough and same PC with Cisco VPN client works fine: terminates the VPN tunnel and I can ping and access everything on company LAN. PIX501 is on 6.3(5).

New Member

Re: PIX501 at Home

I just modified my Cisco VPN client to use IPSEC over UDP and now everything is working.

New Member

Re: PIX501 at Home

Thanks for your reply. My client is already set to use UDP

New Member

Re: PIX501 at Home

I have stripped out nearly all ACLs. I am not using Split Tunnel.!!

New Member

Re: PIX501 at Home

Hello,

Can you post the contents of the log window from the VPN client?

If the client connects fully and transmits traffic across the tunnel but no traffic flows back from the far end of the tunnel then it would be a config problem at the remote end.

Check the status, statistics window, that will show if traffic is flowing in both directions.

HTH.

New Member

Re: PIX501 at Home

Hi Andy

There is no traffic flowing back. The statistics show lots of traffic sent by none received. I know you say that the problem could at the remote end (ie: Office LAN)but the strange thing is that the VPN client works from pretty much anywhere else I go except home.

New Member

Re: PIX501 at Home

Hello,

In that case it could be the PIX blocking the return traffic. Do you have any inspection groups set on the PIX?

If you do not already have the following commands can you add them please and then try again.

same-security-traffic permit inter-interface

sysopt connection permit-ipsec

They will allow inter-interface traffic and mark all ipsec traffic as trusted. This allows it to bypass any access-lists and be dealt with by the crypto engine. If it doesn't match it is dropped.

HTH.

New Member

Re: PIX501 at Home

Hi Andy

Tried adding the above commands. The "same-security-traffic permit inter-interface" command wasn't accepted.

The sysopt command was accepted but still get no traffic received

162
Views
0
Helpful
10
Replies