11-25-2002 03:02 PM - edited 02-20-2020 10:23 PM
I'm sure its here somewhere, though I cant seem to find exactly what I'm looking for.
I know I've seen posts here and on the net that people are using the Cisco VPN Client behind a NAT device (LinkSys) to connect to a PIX via IPSec.
I only need only clinet behind the LinkSys. Can I set up the Port Triggers/.Filters, etc to allow this to work?
Thanks,
Scott<-
11-25-2002 05:24 PM
The LinkSys should support IPSec passthrough, at least it does in later firmware versions. Browse into the GUI and have a look around, you should be able to find it, check the box and see if that helps (I've also seen instances where unchecking the box made it work, don't ask me why, it just did, so if it's already checked, try unchecking it).
If NAT is truly the problem, then that will usually manifest itself in that you'll be able to build the VPN tunnel succesfully (this is all UDP 500 traffic that can be NAT'd OK), but then you won't be able to pass any traffic (this is all ESP, which a lot of devices can't NAT). If your symptoms are something else, then your problem may be something else.
11-25-2002 05:38 PM
I'm familiar with the 'IPSec pass through" option. I've enabled it, disabled it with no luck. If I take out the LinkSys, the Client Connects just fine. I can create a PPTP connection to the PIX no problem. If I disable PPTP passthough the conenction fails.
I'm using the Cisco VPN Client v3.6.1 I've tried its options for NAT or no NAT on UDP no luck.. I have not tried IPSec with TCP for NAT. I dont know what TCP Port to use. THough I think that something specifically for the 300x concentrators.
Is there something on the PIX that we need to configure? I know it needs to have esp and not AH.
Our PIX is setup with the following:
crypto ipsec transform-set vpnclient_set esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnclient_set
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
Any Assistance would be appreciated!
Thanks!
Scott<-
11-25-2002 05:44 PM
IPSec over UDP and TCP is only supported when connecting to a VPN3000 concentrator, so they won't do anything for your PIX connections.
Basically if it works when you take out the LinkSys, then the LinkSys is the problem. The config on the PIX you provided looks fine, and there's nothing you can configure on the PIX itself that will make this work.
11-25-2002 09:19 PM
So playing arougn with my LinkSys BEFSR41 at home. I updated the Firmware and tried it again.
After Turning Off IPSec Passthrough I'm able to make a connection with the PIX and the PIX gives me an IP address in the range I Expect. Though I cant talk to anything in the Private network.
Do I need to include the WAN IP address of the LinkSys in one of my Access lsits? Or do I only need the IP address that It Assigned to me in the Access List. The later is already there.
When I do a:
sh ipsec sa I get the following:
interface: outside
Crypto map tag: my_cry_map, local addr.
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (10.200.0.1/255.255.255.255/0/0)
current_peer:
dynamic allocated peer ip: 10.200.0.1 <-- ASSIGNED IP ADDRESS
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.:
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: f4f5cf7a
inbound esp sas:
spi: 0x4a4c940c(1246532620)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: my_cry_map
sa timing: remaining key lifetime (k/sec): (4608000/3090)
IV size: 8 bytes
replay detection support: Y
<...snip..>
outbound pcp sas:
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.200.0.1/255.255.255.255/0/0)
current_peer:
dynamic allocated peer ip: 10.200.0.1 <--ASSIGNED IP ADDRESS TO CLIENT
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.:
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 784181d3
inbound esp sas:
spi: 0x90065ac(151020972)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: my_cry_map
sa timing: remaining key lifetime (k/sec): (4608000/2879)
IV size: 8 bytes
replay detection support: Y
I'm close!!! I can taste it!
Thanks,
Scott<-
01-18-2003 07:50 AM
Just wanted to write a quick note of thanks to you guys. I was banging my head against a wall, trying to VPN with my Cisco client through a Linksys router.
After turning off SPI on the router, I was able to connect but could not access any of my company's network. I went back to the client anad turned on NAT translation, and it all worked great! I do not have any port forwarding/triggering or DMZ options set in my router.
Without you guys, I would never have guessed that I needed to turn off SPI.
Thanks again :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide