09-24-2003 05:16 AM - edited 02-21-2020 12:47 PM
Hello,
I am trying to connect to a remote access VPN using the Cisco VPN Client v4.0.2(B). The client is located behind an 837 router, which is using IOS-NAT to hide the client. The destination is a PIX running v6.3(1), with NAT traversal enabled.
I can connect successfully to the VPN, however, cannot access any resources behind the PIX. If I try run a PING from the client to a server behind the PIX, the 'encrypted packets' counter is incremented on the Cisco VPN Client, but none of the counters on the PIX incremented.
Has anyone experienced a similar problem or got a suggestion on where to go from here.
Many thanks,
Matt
09-28-2003 10:40 PM
Are you sure NAT-T is enabled on the PIX (it's disabled by default)? Check the VPN client settings after the tunnel is up and check the value for Transparent Tunnelling, make sure it shows that NAT-T is running.
Other than that, make sure you have:
> sysopt connection permit-ipsec
> isakmp nat-traversal
in the PIX.
If you try a connection via dial-up from this same PC, bypassing the 837, does it connect and pass traffic OK? This will tell you whether the PC, PIX or 837 is at fault.
09-29-2003 01:58 AM
Hi, and thanks for your response.
I have confirmed that NAT-T and 'sysopt connection permit-ipsec' is configured on the PIX, and when the tunnel is up, tunneling is active according to the Cisco VPN Client.
Strangely enough, this works when connected from behind a CheckPoint firewall, so I'm fairly sure that it is the 837 at fault.
Any other thoughts?
Matt
09-29-2003 05:46 PM
Can you post the "sho run" from the 837, plus a "sho ip nat trans" output after the tunnel is established and you have sent some traffic. What is the IP address of the PC that you're connecting from (both its actual address and its VPN negotiated address)?
xxx out the IP addresses and passwords on the 837 before posting.
09-30-2003 04:25 AM
Hi,
The IP NAT translation table is:
udp
udp
udp
My running config is:
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname myrouter
!
no logging console
enable secret 5 ##
!
username ## password 7 ##
clock timezone gmt 0
clock summer-time bst recurring
aaa new-model
!
!
aaa session-id common
ip subnet-zero
ip name-server 195.92.195.92
!
ip urlfilter alert
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
interface Ethernet0
ip address 172.18.0.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/16 ilmi
!
pvc 0 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
dsl power-cutback 0
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer idle-timeout 0
ppp authentication chap callin
ppp chap hostname ####
ppp chap password 7 ####
!
ip nat inside source list 100 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip 172.18.0.0 0.0.0.255 any
radius-server authorization permit missing Service-Type
!
line con 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
password 7 ####
transport input telnet ssh
!
scheduler max-task-time 5000
In addition, when the VPN is established, the VPN client shows:
Transparent Tunneling: Active on UDP port 4500
Encrypted Packets: 8
And the IPSec SA on the PIX:
interface: outside
Crypto map tag: outside_map, local addr.
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.1/255.255.255.255/0/0)
current_peer:
dynamic allocated peer ip: 192.168.5.1
PERMIT, flags={transport_parent,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.:
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: 34d62660
inbound esp sas:
spi: 0x113837d9(771234057)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 1, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4608000/28690)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x31234660(881234664)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4608000/28690)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
As the VPN client sends the packets, but the PIX does not receive them, I can only assume that the 837 is the problem?
Any thoughts?
Matt
10-11-2003 11:41 PM
I have managed to resolve this problem by upgrading to a later version of software on the 837 router.
Thanks to everyone for their suggestions.
Regards,
Matt
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: