Solved: Re: nat traversal broken after upgrade to 7.04

ericgarnel · ‎02-06-2006

We had nat traversal working just fine on our PIX

515E bundle running ver 6.3.4

Allowing ah, esp, iskmp, udp port 500 in.

nat traversal enabled. sysopt permit-ipsec.

users behind the pix can estrablish vpn connections, but traffic does not pass. users can establish vpn & pass traffic just fine when they are in front of the pix. The users connect to various vpn devices that we have no control or access to

mpalardy · ‎02-06-2006

Hey Eric,

If I understand, the error occurs only for users behind your pix since an upgrade to 704?

Check if the following statements are present in your pix config:

isakmp nat-traversal 20

isakmp ipsec-over-tcp port 10000

isakmp enable outside

Also the error may occur because of some missing access-list for users behind the pix.

HTH

Mike

View solution in original post

mpalardy · ‎02-06-2006

Hey Eric,

If I understand, the error occurs only for users behind your pix since an upgrade to 704?

Check if the following statements are present in your pix config:

isakmp nat-traversal 20

isakmp ipsec-over-tcp port 10000

isakmp enable outside

Also the error may occur because of some missing access-list for users behind the pix.

HTH

Mike

ericgarnel · ‎02-06-2006

Thanks,

I didn't have the last two lines:

isakmp ipsec-over-tcp port 10000

isakmp enable outside

I'll try it when I get back to work in the am

ericgarnel · ‎02-07-2006

the isakmp enable outside did the trick

had the nat-traversal in there already

and we are using the udp transport