Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Client VPN can auth but not route when crossing PIX firewall

I have a PIX 515 with a dyn VPN connection set up. All is well when connect from home (using the Cisco VPN Client) from behind my linksys router. When I am at another site that has a PIX as a firewall I can auth to the remote PIX 515 but cannot access the remote LAN.

Any ideas as to what the problem might be? I assume its something on the firewall but I have no idea.

Any help is much appreciated.

  • Other Security Subjects
9 REPLIES
Gold

Re: Client VPN can auth but not route when crossing PIX firewall

It looks like NAT-traversal issue, try command

isakmp nat-traversal 20

on your pix in global configuration menu

Hope that helps

M.

New Member

Re: Client VPN can auth but not route when crossing PIX firewall

I am also facing the similar problem, the above command does not work.

New Member

Re: Client VPN can auth but not route when crossing PIX firewall

This did not fix the problem for me. Any other ideas?

New Member

Re: Client VPN can auth but not route when crossing PIX firewall

i have the same problem over the same PIX515, i supose the rule to allow "bypass" the traffic must be set over the PIX where the VPN client is behind,, but what kind of rule>?

thanks in advanced

New Member

Re: Client VPN can auth but not route when crossing PIX firewall

Have you iniate a clear ipsec sa or clear isakmp sa command on the pix.

Also found this interesting doc...

http://cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml

New Member

Re: Client VPN can auth but not route when crossing PIX firewall

Also be sure the other site firewall has open ports for the vpn client. tcp/4500 udp/500

Gold

Re: Client VPN can auth but not route when crossing PIX firewall

just a bit add-on.

the ports need to be permitted on the pix (the one deployed on the client end) are udp 500, and udp 4500.

New Member

Re: Client VPN can auth but not route when crossing PIX firewall

Thanks a lot for your help,,

but it didnt work,, a permit the trafic in this way:

access-list in_access permit udp any any eq isakmp

access-list in_access permit udp any any eq 4500

access-list in_access permit tcp any any eq 4500

applied over the Outside interface,, the VPN connection is established, even the Radius remote auth is validated, but cannot ping or pass the traffic with the IP vpngroup assigned...

any suggestion? is the permited ports correctly applied.....

New Member

Re: Client VPN can auth but not route when crossing PIX firewall

Just to add on,i sniffer on my interface;

located behind another PIX- 0 outgoing packets

located behind a dial up - >0 outgoing packets.

Could this be due to some configurations on the client side?

105
Views
0
Helpful
9
Replies
This widget could not be displayed.