I have one PIX 506e, on inside lan there is one PC client, on this client there is SSH Sentinel VPN Client software for connect this PC to a Remote lan protected by Zyxel Router/firewall.
When I activate Sentinel software,
VPN Tunnel goes ON but the taffic doesn't work, for example is not possible to ping any host.
If I remove PIX 506 and I connect PC directly to the Router, VPN Tunnel goes ON and any host of remote Lan respond to Ping. Zyxel support suggest to verify Port 500 and port 68.
Cisco PIX log say:
305006: portmap translation creation failed for protocol 50 src inside:192.168.2.169 dst outside:88.xx.123.zz
This is configuration on my PIX:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access_in permit icmp any any echo-reply
access-list nonat permit ip any 10.0.1.0 255.255.255.0
access-list nonat permit ip any 10.0.2.0 255.255.255.0
access-list nonat permit ip any 10.0.3.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.xx 255.255.255.248
ip address inside 192.168.2.101 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Networking 10.0.1.1-10.0.1.10
ip local pool Mobile 10.0.2.1-10.0.2.10
ip local pool Comm 10.0.3.1-10.0.3.10
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 10.0.1.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.zz 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
sysopt connection permit-ipsec
crypto ipsec transform-set TRSET esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set TRSET
crypto map VPN 10 ipsec-isakmp dynamic dynmap
crypto map VPN interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup Networking address-pool ONE
vpngroup Networking dns-server 192.168.2.1
vpngroup Networking wins-server 192.168.2.1
vpngroup Networking default-domain intranet
vpngroup Networking idle-time 1800
vpngroup Networking password ZZZZZZZZZZZZZZZZZZZ
vpngroup Mobile address-pool TWO
vpngroup Mobile dns-server 192.168.2.2
vpngroup Mobile wins-server 192.168.2.2
vpngroup Mobile default-domain intranet
vpngroup Mobile idle-time 1800
vpngroup Mobile password XXXXXXXXXXXXXXXXXX
vpngroup Comm address-pool THREE
vpngroup Comm dns-server 192.168.2.2
vpngroup Comm wins-server 192.168.2.2
vpngroup Comm default-domain intranet
vpngroup Comm idle-time 1800
vpngroup Comm password WWWWWWWWWWW
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Any idea or solution are welcome.
Thanks in advance to all.
Ensure the vpn client and remote endpoint support nat-traversal. If they do not, you must disable nat-t on your pix and enable fixup protocol esp-ike. This would allow for 1 connection and 1 connection only.
no isakmp nat-traversal
fixup protocol esp-ike
Thank you for answer,
the command: no isakmp nat-traversal
wile the command: PIX(config)# fixup protocol esp-ike return this:
PAT for ESP cannot be enabled since ISAKMP is enabled. Please correct your configuration and re-issue the command!
Sorry, that is because of "isakmp enable outside". It appears you have existing vpn's terminating on the pix. no isakmp nat-traversal may have an ill effect on them as well. Fixup protocol esp-ike will also impact these connections. Did you check into NAT-T?
Thank you for patient and support...
I try the command: no isakmp nat-traversal, after this I try conection by Zyxel Remote Security Client but the problem is the same...
Yes, you would have to remove the isakmp command on the outside interface, then add the fixup protocol esp-ike command, but this would then break your remote vpn connections terminating on your pix. Hope that makes sense. If any of your remote vpn users are using nat-t then removing the nat-traversal command would break those connections.
Perhaps now I have understood:
1) Remove: isakmp enable outside command
2) Add: fixup protocol esp-ike command
3) Add: isakmp enable outside
Is right now?
Yes, but having "fixup protocol esp-ike" will only allow for 1 connection and you will no longer be able to terminate vpn's on your firewall.
Dear acomiskey thank you very much for your responses.
i'm Luigi, the owner of the pix 506e.
I don't want to lost my VPN connections because I need them.
But I need to resolve the problem with the connection with the zyxel firewall.
Is the "fixup protocol esp-ike" the only way that i have in order to connect to the zyxell firewall or there is another way?
In not possible to change the configuration of my 506 in order to have both (VPN clients connected and the connection with the zyxel)?
I can confirm you that the Zyxel firewall support the IPSEC NAT-Traversal (it's a p662H).
Ok. there is not the option on the Zywall VPM client.
So i think that it's already set active (if the firewall has the option the official VPN client has to have the implicit option).
I want to add a new information.
Other companies with a Cisco firewall can connect to these Zyxel firewall with the same program and same settings.
Is the Pix 506e different from others pixs?
No, other than the version of the PIX IOS, they are not different.
Sorry, I'm not familiar with these vpn clients, which are you using exactly, ssh sentinel or zywall client?
If the devices were doing nat-t, the pix would not be complaining about protocol 50 (esp).
You could rule out nat-t as being the problem. Do you have any more public ip addresses available? You could NAT a client to one of these addresses so you were not using PAT, therefore not needing nat-t.
ok. I'm using both ssh sentinel and zywall client (with 2 diffeerents pc).
p.s. I've checked and they support the nat-t
Yes I have more pubblic ips. Natting a client would be that I have to put the client between the cisco firewall and my ADSL router?
I can't have PCs outside the firewall for security reasons.
Can you please explain?
You can create a static nat or a one-to-one mapping like this.
static (inside,outside) 126.96.36.199 192.168.1.10 netmask 255.255.255.255
therefore the client(192.168.1.10) will be translated to 188.8.131.52, this is not PAT/overloading which requires nat-t.