Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with VPN behind the NAT

I have this scheme http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml

Bat I have a problem: VPN is not rising up from router which behind the NAT, and rising up from another site. Can anybody help me to resolve this problem?

11 REPLIES

Re: Problem with VPN behind the NAT

Do you have any vpn on the PIX also?

New Member

Re: Problem with VPN behind the NAT

Yes I have active vpn tunnels on my PIX. How it can influence to my scheme?

Re: Problem with VPN behind the NAT

What PIX version do you have?

New Member

Re: Problem with VPN behind the NAT

PIX 515E

Cisco PIX Security Appliance Software Version 7.0(1)

Re: Problem with VPN behind the NAT

debug crypto ipsec

debug crypto isakmp

no access-list 120

access-list 120 permit ip host 192.168.34.1 host 192.168.11.7

no ip access-list extended VPN

ip access-list extended VPN

permit ip host 192.168.11.7 host 192.168.34.1

New Member

Re: Problem with VPN behind the NAT

I have attached debug without deleting access-list. After deleting access-list on c2811 vpn tunnel rised up. Bat atfter I reload c871 and vpn again not rising up from c2811

Re: Problem with VPN behind the NAT

so... Was it working?

try to add on both sides

ctypto isakmp keepalive 10

crypto isakmp invalid-spi-recovery

after that do

clear crypto sa

clear crypto isa sa

New Member

Re: Problem with VPN behind the NAT

Yes I have added crypto isakmp invalid-spi-recovery previously

and vpn tunnel worked, bat in scheme http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml no crypto isakmp invalid-spi-recovery What do this line? How mach this config safe and stable?

New Member

Re: Problem with VPN behind the NAT

Yes I have read this guid and this confuse me

If an IKE SA is being initiated to notify an IPSec peer of an "Invalid SPI" error, there is the risk that a denial-of-service (DoS) attack can occur. The feature has a built-in mechanism to minimize such a risk, but because there is a risk, the feature is not enabled by default. You must enable the command using command-line interface (CLI).

Can vpn work without crypto isakmp invalid-spi-recovery? I think c871 don't detect NAT

Re: Problem with VPN behind the NAT

did you save the config?

167
Views
0
Helpful
11
Replies