04-07-2003 06:58 AM - edited 03-09-2019 02:48 AM
This is a VPN client to PIX connection, i have this connection without NAT-T, and it's connecting without any problem. VPN Client 3.5.2 and PIX506 ver 6.22
Today, i upgrade PIX ver 6.22 to 6.31 for NAT-T conneciton. VPN client is only behind a PAT router. I'm able to create the connection, but no packet is passing thorough this tunnel.
All i did is upgrading the PIX to 6.31, are there any configuration changes i need to make for this NAT-T connection working. Any suggestion or idea would be appreciate.
Thanks in advance
Simon
04-07-2003 08:11 PM
hi,
make sure that every device in between (PAT device on client side, and broder router on pix side) doesn't block UDP4500 packets.
Make sure that you re negotiating NAT-T, by checking the Tunnel Port value, and client required is 3.6 or later for it to work.
Thx
Afaq
04-08-2003 09:12 AM
Hi Afaq
Thanks for your reply, between the VPN client and the pix, there is only a pat router, which are sitting on the same segment with the pix. so, udp4500 should be open.
The other thing is, if i use client 3.6.3, it seems like i'm running into that AES bug, when i look at the log, it just keep saying "atts not acceptable". Anyway, i can still connect, but none of the traffic able to pass through it.
All i can see is encrypt packet at client side, no decrypt at all over PIX side.
any idea?
look forward for your reply.
04-08-2003 06:21 PM
NAT-T is disabled by default in 6.3 code. To enable it, use the command:
> isakmp nat-traversal
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm#1057446 for further details.
04-09-2003 06:01 AM
Thank you so much for your reply.
I just finished test it with my PIX, it runs perfectly, I really appreciate your help.
If you don't mind, can i just ask one more question, same issue, but on Router instead of PIX.
Does a router needs the same command inorder for this NAT-T to work? i have look for it, but can't find anything close. And this router is running IOS ver 12.2(13)T. Which should work according cisco documentation. I have already set this up and test, but not any luck with the connection. Any clue?
04-10-2003 10:33 PM
NAT-T was supposedly implemented in 12.2(13)T, can't say I've tested it specifically, but I haven't heard that it doesn't work either :-)
Here's the command reference, doesn't seem to be anything you need to do:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm
The NAT keepalive command is probably needed, since most other devices will send them by default I believe.
04-10-2003 05:35 PM
I am having the same problem. I have isakmp nat-traversal in the configuration and it still does not work for me.
Any help would be appreciated.
-Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide