Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
4
Helpful
2
Replies

Odd VPN Tunnel Issue

asheedy
Level 1
Level 1

‎03-02-2006 02:04 PM - edited ‎02-21-2020 02:17 PM

Has anyone seen this kind of behavior: Sitting at home, I connect to a PIX 501 running 6.3 with VPN client 4.0.5. The VPN client connects, I authenticate successfully and am connected. I can then communicate with hosts on the inside network on the other side of the tunnel with RDP or telnet. However, when I arrive at another location (the office of one of my clients), I launch the VPN client, can authenticate and connect to the same PIX with the VPN client. However, I cannot pass any traffic across the tunnel to the network I was able to successfully communicate with at home. I checked the routes on my PC and they look fine? Any ideas? Thanks.

Labels:
0 Helpful
2 Replies 2

johnd2310
Level 8
Level 8

‎03-02-2006 02:52 PM

Hi,

Is one of those sites behind a NAT device? What are you using to connect to the Internet, at home and at the client site?

regards

John

**Please rate posts you find helpful**
0 Helpful

Patrick Iseli
Level 7
Level 7

‎03-02-2006 02:53 PM

Try enabling NAT-T on your pix, by configuring:

isakmp nat-traversal 20

and configure the vpn client accordingly:

http://www.cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client

Isakmp nat-traversal 20 :

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.

See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

sincerely

Patrick

Customers Also Viewed These Support Documents