Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

strange problem with ipsec nat transparent over udp

my vpn 3005 concentrator is located in the dmz zone of the firewall ,with firewall rule for ike,esp and ipsec nat transparency udp 10000 .

i can authenicate and connect successfully to this box but after that i cannot do anything ,cannot ping at all ,cannot surf....(client configure to allow ipsec over udp)

next i change the ipsec nat transparency from udp to tcp 10000 in the firewall rule then eveything is work fine.(change also the client to use ipsec over tcp)

note: i have enable udp over nat in this vpn box too.

any idea ?

how can we enable debug for icmp or other ip packet for this box?

4 REPLIES
New Member

Re: strange problem with ipsec nat transparent over udp

When your client get connection with "ipsec over UDP", from the statistics of the VPN client window, "nat transparency" is active or inactive?

If it is inactive, that means UDP 10000 is still being blocked.

IPSEC over UDP using UDP 500 (ISAKMP) for phase 1 authentication and UDP 10000 for real traffic.

When you pass authentication, that means UDP 500 is opend, not passing any traffic, most of the time, UDP 10000 is blocked.

I have seen many these kinds of cases from our customers.

IPSEC over TCP only use TCP 10000.

As far as you open TCP 10000, you pass authentication, you can pass traffic as well.

Please double check the PIX config for the access-list permit and group settings in the concentrator for the UDP port is default 10000.

Best Regards,

New Member

Re: strange problem with ipsec nat transparent over udp

from my client "nat transparency" is active .

After connection i try to ping to a cisco router in my network with debug ip icmp on.

my client ip is x.x.x.52

my router ip is x.x.x.1

2w2d: ICMP: echo reply sent, src x.x.x.1, dst x.x.x.52

it mean the client send icmp packet to the router and the router got the request and reply back to the client .

It look like the concentrator 3005 box did not get the reply , the packet is loss

note:i have double check the udp port is 10000 and firewall allow udp 10000 too

Cisco Employee

Re: strange problem with ipsec nat transparent over udp

You have a route or more likely a proxy arp issue.

Try providing the cient a different ip pool of address (defined on the concentrator), then on the router, set a static route for that ip pool to be sent back to the private interface of the concentrator. If this works, it confirms the proxy arp or route issue.

On the pix, you can turn off proxy arp for the interface that migth be causing the issue by doing " no sysopt proxyarp (interfacename)" .

Regards,

New Member

Re: strange problem with ipsec nat transparent over udp

is it proxy arp issue , why eveything is working when I change the potocol to TCP 10000 ?

Try your method ,still the same problem ...

note: i using symantec firewall .

120
Views
0
Helpful
4
Replies
CreatePlease login to create content