cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
333
Views
0
Helpful
3
Replies

Cisco VPN client can't connect from behind PIX

tato386
Level 6
Level 6

I have two PIX firewalls that are setup identically but are running different versions of the PIX OS. The one running 6.2 allows PCs running the Cisco VPN client to connect to VPN servers outside of the PIX. The other is running 6.3 and does not allow PCs to connect. If my NAT and ACLs statements are basically the same (only real difference is the IPs used) what else can be causing this? How can I troubleshoot?

Thanks,

Diego

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

Try "fixup protocol esp-ike" on the one that doesn't work, although keep in mind this will only allow one internal client to establish a VPN outbound.

Are these two sets of users connecting to the same external server? If not, then it is more likely that the connection that is working is working over NAT-T, or some form of UDP/TCP encapsulation of the IPSec packets. Note the the PIX cannot properly NAT the IPSec packets that go through as they're not TCP or UDP based. NAT-T encapsualtes the IPSec packets between the client and server in UDP packets that can then be NAT'd correctly by the PIX.

Enabling NAT-T is a function of the client and server configuration though, nothing you can do about it on the PIX per se.

Is it possible for a non-cisco vpn client to connect thru a PIX 501?

I have the same issue but with Watchguard's MUVPN (Mobile User VPN).

Could this be fixed by a simple access-list?

Any help with this would be great!

Thanks

I think MUVPN is an IPsec clientso it uses ESP and UDP 500 like the Cisco client. For NAT-T Cisco use TCP 10,000 and UDP 4500 - I don't know what MUVPN uses.

Try an ACL for debug to find the extra ports, something like:

access-list [inside ACL name] permit ip host [YOUR_IP] host [VPN_SERVER_IP] log

and watch the log for "106100" messages.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: