Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
350
Views
0
Helpful
4
Replies

Symantec VPN Client through a PIX 501 issue

dvancamp
Level 1
Level 1

‎10-12-2006 12:48 PM - edited ‎02-21-2020 02:39 PM

I have a client that has a PIX 501 with 6.3. We have the usual "isakmp nat-transversal 20" and the "sysopt connect permit-ipsec". However, we can not get the Symantec VPN Client to pass it's isakmp information properly. The Symantec client works fine from other locations without a PIX. I have followed Symantec's recommendations regarding NAT Transversal and it still will not work.

Does anyone have experience with this client passing through a PIX? Is there something else I should be doing/checking on the PIX?

Dale

Labels:
Preview file
5 KB
0 Helpful
4 Replies 4

mmorris11
Level 4
Level 4

‎10-12-2006 01:06 PM

The flip side to the nat-traversal feature is that it only works if you are not also terminating ipsec on the pix. If you have an address that you can use besided the outside interface address for the client, you can have them use that and it will work.

0 Helpful

dvancamp
Level 1
Level 1
In response to mmorris11

‎10-12-2006 01:16 PM

Can you elaborate a little more? I am a little confused by which outside interface address you are talking about - the Pix or the Symantec VPN host?

If you are talking about the PIX, do you mean assign another IP address to the outside interface? Is there anything special I would need to do to "make" the Symantec client use the new IP on the outside interface?

Thank you for taking the time to respond... I have been pulling my hair out on this one for several days now.

- Dale

0 Helpful

mmorris11
Level 4
Level 4
In response to dvancamp

‎10-12-2006 01:54 PM

Here is what I do:

object-group protocol no-pat-protocols

description This is a list of protocols that will invoke the global 99

protocol-object esp

protocol-object gre

object-group network no-pat-nets

description This is a list of networks or hosts which are permitted to use the global 99 range for VPN pass-thru

network-object 10.1.X.0 255.255.255.0

access-list no-pat extended permit object-group no-pat-protocols object-group no-pat-nets any

access-list no-pat extended permit udp object-group no-pat-nets any eq isakmp

global (outside) 99 70.x.x.120-70.x.x.126 netmask 255.255.255.128

global (outside) 100 70.x.x.110

nat (inside) 0 access-list no-nat

nat (inside) 99 access-list no-pat

nat (inside) 100 0.0.0.0 0.0.0.0

What this does is creates a policy nat which will allow vpn client users to grab an ip from the global 99 pool so that they will have an ip all to themselves while running a VPN client through and from behind the firewall.

Another option that I was suggesting initially for you is to simply create a static like so:

static(inside,outside) somePublicIP, VPNclientPCiP net 255.255.255.255

then you would need to permit isakmp in for this ip like so:

access-list someAcl permit udp any host somePublicIP eq 500

access-list someAcl permit gre any host somePublicIP

Then attach that to your outside interface. The reason, btw, that nat traversal doesn't work when you are using the pix as an ipsec endpoint is that you are already using up udp 500 on the outside interface of the pix. So if you pat on that address, isakmp won't go anywhere else but to the running process on the pix.

HTH pls rate!

0 Helpful

tdzierzek
Level 1
Level 1

‎10-12-2006 03:09 PM

Dale,

I believe that you need to update the access-list on the outside to allow isakmp and AH or ESP in.

Tim

0 Helpful
Customers Also Viewed These Support Documents