I have a situation where two sites have Internet access only. One PC at the central site requires secure access to a server at the remote site.
Both sites have a PIX 515. The central site has OS 4.3 and the remote site has OS 6.11. Each does NAT and PAT for the PC's on the inside interface. I setup the PIX at the remote site for VPN client access. I installed the VPN client 3.11 on a PC at the central site. I am able to form the SA, but am unable to pass any traffic.
The statistics monitor on the PC shows that it is encrypting packets to the remote site and the PIX shows that the SA has been created. I receive no responses to pings from the PC to the server through the VPN using the server's internal address.
I have tried configuring a static for the PC to see if that would help. It still creates the SA and does not receive responses.
Is it possible to create this VPN tunnel for a PC from behind another PIX doing NAT? Do I need to upgrade the OS on the PIX at the central site to support this?
Would a downgrade to the older VPN client help in this situation or am I right to try to use the Client 3.11? Is this a supported configuration? Am I better off just upgrading the central PIX and trying to do a site to site VPN and use access lists to control which PC's can access the server?
You really need to have the functionality of IPSec thru NAT turned on, which the new client is capable already, but not the PIX as yet, see CSCdv32490. You
be better off upgrading the 4.2 code of the PIX to a 5.x code and do a site to site lan. This way, you have a centralised control of the vpn tunnel, and it would be transparent to the client, as you don't need to install anything on their desktops.
I created a static for the two PC's that were behind the old PIX. This allowed them both to create the tunnel. I was not able to pass traffic successfully until I created 3 conduits on the old central site PIX to allow the traffic back in. I was told by Cisco TAC that this was because the PIX was too old. If I had upgraded from 4.4 to 5.x it should have worked without the conduits.
Apparently the key to getting this to work is having a static IP address for the PC VPN client. PAT will not work for them unless you have a VPN concentrator.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...