Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN client behind PIX

I have a problem with a vpn client sitting inside a PIX 525 7.2(2). I can connect to the destination concentrator but cannot ping any resources (tested and works fine through little ADSL SOHO kit). After searching here, I added isakmp nat-traversal 20 to the config plus a NAT exemption. I now see clean UDP and TCP traffic in the syslog for this host but I still no replies.....Any help much appreciated as I'm losing hair on this one......

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN client behind PIX

"The key here is to look at the configuration

on the VPN concentrator. You need to setup

NAT-T on the VPN concentrator, as follow:

Configuration | Tunneling and Security | IPSec | NAT Transparency

There is a check box for "IPSec over NAT-T".

Check that box and it will work.

"

Thats correct. I understood just the opposite at my first fast look at the question, thats why I rejected to not to NAT-T at PIX side.

"Cisco VPN client does not use PPTP protocol"

Thats correct too, but I didnt see any statement about Cisco VPN client, thats why I suggested it. But if I recall correct, client shouldnt have been able to establish connection if it was a PPTP client, without the fixup protocol I mention. So most probably it is Cisco VPN client.

Setting NAT-T at concentrator will resolve the issue as you mentioned.

Brian, if still no joy after setting NAT-T in concentrator, we need the config of concentrator.

9 REPLIES

Re: VPN client behind PIX

Hi Brian,

Please attach your sanitized config

Regards

Re: VPN client behind PIX

Hi Brian,

Please attach your sanitized config

Regards

Silver

Re: VPN client behind PIX

You need to enable NAT-T on the VPN concentrator. You do not need NAT-T on

the Pix.

Re: VPN client behind PIX

Edited... Misunderstood the issue

Silver

Re: VPN client behind PIX

It is working for me as we speak.

Re: VPN client behind PIX

You are right m8, I misunderstood the issue :)

Brian, issue the following command in PIX config

fixup protocol pptp 1723

Regards

Silver

Re: VPN client behind PIX

Cisco VPN client does not use PPTP protocol.

I do not think you need that.

The key here is to look at the configuration

on the VPN concentrator. You need to setup

NAT-T on the VPN concentrator, as follow:

Configuration | Tunneling and Security | IPSec | NAT Transparency

There is a check box for "IPSec over NAT-T".

Check that box and it will work.

Re: VPN client behind PIX

"The key here is to look at the configuration

on the VPN concentrator. You need to setup

NAT-T on the VPN concentrator, as follow:

Configuration | Tunneling and Security | IPSec | NAT Transparency

There is a check box for "IPSec over NAT-T".

Check that box and it will work.

"

Thats correct. I understood just the opposite at my first fast look at the question, thats why I rejected to not to NAT-T at PIX side.

"Cisco VPN client does not use PPTP protocol"

Thats correct too, but I didnt see any statement about Cisco VPN client, thats why I suggested it. But if I recall correct, client shouldnt have been able to establish connection if it was a PPTP client, without the fixup protocol I mention. So most probably it is Cisco VPN client.

Setting NAT-T at concentrator will resolve the issue as you mentioned.

Brian, if still no joy after setting NAT-T in concentrator, we need the config of concentrator.

Community Member

Re: VPN client behind PIX

Thanks folks, I've asked the other side but there is change control to get through before I can test.......I'll keep this updated.

137
Views
0
Helpful
9
Replies
CreatePlease to create content