Hi, and thanks for your response.

I have confirmed that NAT-T and 'sysopt connection permit-ipsec' is configured on the PIX, and when the tunnel is up, tunneling is active according to the Cisco VPN Client.

Strangely enough, this works when connected from behind a CheckPoint firewall, so I'm fairly sure that it is the 837 at fault.

Any other thoughts?

Matt

Can you post the "sho run" from the 837, plus a "sho ip nat trans" output after the tunnel is established and you have sent some traffic. What is the IP address of the PC that you're connecting from (both its actual address and its VPN negotiated address)?

xxx out the IP addresses and passwords on the 837 before posting.

Hi,

The IP NAT translation table is:

udp :4500 172.18.0.100:4500 :4500 :4500

udp :500 172.18.0.100:500 :500 :500

udp :1057 172.18.0.100:1057 195.92.195.92:53 195.92.195.92:53

My running config is:

version 12.2

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname myrouter

!

no logging console

enable secret 5 ##

!

username ## password 7 ##

clock timezone gmt 0

clock summer-time bst recurring

aaa new-model

!

!

aaa session-id common

ip subnet-zero

ip name-server 195.92.195.92

!

ip urlfilter alert

ip audit notify log

ip audit po max-events 100

!

!

!

!

!

!

interface Ethernet0

ip address 172.18.0.1 255.255.255.0

ip nat inside

hold-queue 100 out

!

interface ATM0

no ip address

no ip route-cache

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/16 ilmi

!

pvc 0 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

dsl power-cutback 0

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer idle-timeout 0

ppp authentication chap callin

ppp chap hostname ####

ppp chap password 7 ####

!

ip nat inside source list 100 interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

!

access-list 100 permit ip 172.18.0.0 0.0.0.255 any

radius-server authorization permit missing Service-Type

!

line con 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 0 0

password 7 ####

transport input telnet ssh

!

scheduler max-task-time 5000

In addition, when the VPN is established, the VPN client shows:

Transparent Tunneling: Active on UDP port 4500

Encrypted Packets: 8

And the IPSec SA on the PIX:

interface: outside

Crypto map tag: outside_map, local addr.

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.5.1/255.255.255.255/0/0)

current_peer: :4500

dynamic allocated peer ip: 192.168.5.1

PERMIT, flags={transport_parent,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: , remote crypto endpt.:

path mtu 1500, ipsec overhead 64, media mtu 1500

current outbound spi: 34d62660

inbound esp sas:

spi: 0x113837d9(771234057)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 1, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4608000/28690)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x31234660(881234664)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 2, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4608000/28690)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

As the VPN client sends the packets, but the PIX does not receive them, I can only assume that the 837 is the problem?

Any thoughts?

Matt