Cisco Client behind Linksys(NAT) Connecting to PIX

stownsend · ‎11-25-2002

I'm sure its here somewhere, though I cant seem to find exactly what I'm looking for.

I know I've seen posts here and on the net that people are using the Cisco VPN Client behind a NAT device (LinkSys) to connect to a PIX via IPSec.

I only need only clinet behind the LinkSys. Can I set up the Port Triggers/.Filters, etc to allow this to work?

Thanks,

Scott<-

gfullage · ‎11-25-2002

The LinkSys should support IPSec passthrough, at least it does in later firmware versions. Browse into the GUI and have a look around, you should be able to find it, check the box and see if that helps (I've also seen instances where unchecking the box made it work, don't ask me why, it just did, so if it's already checked, try unchecking it).

If NAT is truly the problem, then that will usually manifest itself in that you'll be able to build the VPN tunnel succesfully (this is all UDP 500 traffic that can be NAT'd OK), but then you won't be able to pass any traffic (this is all ESP, which a lot of devices can't NAT). If your symptoms are something else, then your problem may be something else.

stownsend · ‎11-25-2002

I'm familiar with the 'IPSec pass through" option. I've enabled it, disabled it with no luck. If I take out the LinkSys, the Client Connects just fine. I can create a PPTP connection to the PIX no problem. If I disable PPTP passthough the conenction fails.

I'm using the Cisco VPN Client v3.6.1 I've tried its options for NAT or no NAT on UDP no luck.. I have not tried IPSec with TCP for NAT. I dont know what TCP Port to use. THough I think that something specifically for the 300x concentrators.

Is there something on the PIX that we need to configure? I know it needs to have esp and not AH.

Our PIX is setup with the following:

crypto ipsec transform-set vpnclient_set esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnclient_set

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

Any Assistance would be appreciated!

Thanks!

Scott<-

gfullage · ‎11-25-2002

IPSec over UDP and TCP is only supported when connecting to a VPN3000 concentrator, so they won't do anything for your PIX connections.

Basically if it works when you take out the LinkSys, then the LinkSys is the problem. The config on the PIX you provided looks fine, and there's nothing you can configure on the PIX itself that will make this work.

stownsend · ‎11-25-2002

So playing arougn with my LinkSys BEFSR41 at home. I updated the Firmware and tried it again.

After Turning Off IPSec Passthrough I'm able to make a connection with the PIX and the PIX gives me an IP address in the range I Expect. Though I cant talk to anything in the Private network.

Do I need to include the WAN IP address of the LinkSys in one of my Access lsits? Or do I only need the IP address that It Assigned to me in the Access List. The later is already there.

When I do a:

sh ipsec sa I get the following:

interface: outside

Crypto map tag: my_cry_map, local addr.

local ident (addr/mask/prot/port): (/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.200.0.1/255.255.255.255/0/0)

current_peer:

dynamic allocated peer ip: 10.200.0.1 <-- ASSIGNED IP ADDRESS

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: , remote crypto endpt.:

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: f4f5cf7a

inbound esp sas:

spi: 0x4a4c940c(1246532620)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: my_cry_map

sa timing: remaining key lifetime (k/sec): (4608000/3090)

IV size: 8 bytes

replay detection support: Y

<...snip..>

outbound pcp sas:

local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.200.0.1/255.255.255.255/0/0)

current_peer:

dynamic allocated peer ip: 10.200.0.1 <--ASSIGNED IP ADDRESS TO CLIENT

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: , remote crypto endpt.:

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 784181d3

inbound esp sas:

spi: 0x90065ac(151020972)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: my_cry_map

sa timing: remaining key lifetime (k/sec): (4608000/2879)

IV size: 8 bytes

replay detection support: Y

I'm close!!! I can taste it!

Thanks,

Scott<-

mchowdry · ‎01-18-2003

Just wanted to write a quick note of thanks to you guys. I was banging my head against a wall, trying to VPN with my Cisco client through a Linksys router.

After turning off SPI on the router, I was able to connect but could not access any of my company's network. I went back to the client anad turned on NAT translation, and it all worked great! I do not have any port forwarding/triggering or DMZ options set in my router.

Without you guys, I would never have guessed that I needed to turn off SPI.

Thanks again :)