03-02-2006 02:04 PM - edited 02-21-2020 02:17 PM
Has anyone seen this kind of behavior: Sitting at home, I connect to a PIX 501 running 6.3 with VPN client 4.0.5. The VPN client connects, I authenticate successfully and am connected. I can then communicate with hosts on the inside network on the other side of the tunnel with RDP or telnet. However, when I arrive at another location (the office of one of my clients), I launch the VPN client, can authenticate and connect to the same PIX with the VPN client. However, I cannot pass any traffic across the tunnel to the network I was able to successfully communicate with at home. I checked the routes on my PC and they look fine? Any ideas? Thanks.
03-02-2006 02:52 PM
Hi,
Is one of those sites behind a NAT device? What are you using to connect to the Internet, at home and at the client site?
regards
John
03-02-2006 02:53 PM
Try enabling NAT-T on your pix, by configuring:
isakmp nat-traversal 20
and configure the vpn client accordingly:
http://www.cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client
Isakmp nat-traversal 20 :
Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.
The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.
To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide