Cisco Support Community
Community Member

VPN Client 4.0.1 to PIX 6.3.1 through NAT overload

I am having a problem establishing an IPSEC connection to an extranet through an IP NAT overloaded interface.

On my intranet I have a workstation running Cisco VPN Client version 4.0.1. The workstation is routed through a Cisco 1601-R Router (IOS 12.0(5)T) that routes through IP NAT Overloaded ISDN Terminal Adapter Dialer Interface to an extranet Access Server which then routes to a PIX 501 (6.3.1) with NAT Traversal enabled. I am able to successfully authenticate on the PIX. However, neither the Client nor the PIX seem to be recieving IP packets sent by each other.

When dialing in directly from the workstation to the extranet Access Server (eliminating the 1601-R using IP NAT overload) I am able to both establish the IPSec connection and pass IP traffic between the Client and the PIX.

I can only assume that the problem resides within the NAT overloading on the 1601-R. Is there something I should add to it's configuration or to the configuration of the PIX to enable this to work?

Cisco Employee

Re: VPN Client 4.0.1 to PIX 6.3.1 through NAT overload

It sounds like NAT-T is not being negotiated, and you rIPSec traffic is being dropped. Keep in mind that without any NAT-T or IPSec encapsulation, going through a PAT device, you'll be able to build a tunnel successfully but not pass any data (which is what you're seeing). This is because the tunnel negotiation and build is all done with ISAKMP which is UDP port 500 packets that can be PAT'd fine. The actual data is then passed in ESP traffic which is IP protocol 50, which most devices don't PAT properly.

Once the tunnel is built, double click on the padlock icon and make sure Transparent Tunneling is active and is using port 4500, this will tell you whether or not NAT-T is actually working or not. If it isn't, make sure you have the "isakmp nat-traversal" command in the PIX config, this is off by default (you need to be running 6.3 code on the PIX for this also).

Community Member

Re: VPN Client 4.0.1 to PIX 6.3.1 through NAT overload

We have tried similar situation VPN 4.0.1 client and PIX 501 (6.3.1) but doing NAT with an 827 with ADSL in client side..

In this case first connection authenticate PIX, but we cannot do pings to internal network, BUT second connection from another vpn 4.0.1 client authenticate to PIX and works.

If we change PIX 501 (6.3.1) for an Cisco 827 with ADSL and IOS 12.2.13T4 (maintaining the 827 with NAT) we have the same result, first connection authenticate and we can do pings, BUT with second connection we can work.

CreatePlease to create content