VPN Client Problems

kerrow · ‎09-08-2003

I have VPN client Vers. 4.0 and need to connect to a PIX firewall across the internet. The problem I am having is that I can establish a tunnel, but am unable to utilize the application or even ping the application server on the other side. I am behind another PIX firewall and when I take my local PIX firewall out of the picture I can access the application that I need to upon establishing the tunnel. So it appears something in my local PIX firewall is allowing the establishment of the tunnel, however not allow anything after the fact.

I have tried a couple of things, "sysopt connection permit-ipsec", acl's, etc... and still can not get this to work. I ran into this problem before and changed from PAT to a NAT pool, which for one reason or another fixed my problem, however this time I do not have the IP addresses available to not run PAT.

Report Inappropriate Content · ‎09-12-2003

The application in question must be opening a return connection to a port that is not pre-defined. Thats why when you changed to NAT the application was accessible. Since you are using PAT you will not be able to connect to applications that operate on ports that are not pre-defined

rjwalani · ‎09-14-2003

Hi,

You'll have to make sure that the PIX firewall to which you are establishing a tunnel has the image 6.3.x which supports the NAT-T feature. This feature will allow you to connect using a vpn client which is behind a device doing PAT.

You'll have to enable NAT-T. The command is

isakmp nat-traversal

More details can be found at

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312

On the local PIX make sure that you open up udp 4500 ( used by NAT-T)

Thanks

Ranjana

mklaphek · ‎09-23-2003

I believe that PIX code 6.3 has a fix for this...Try the command "isakmp nat-traversal." I have never tested it, but if I understand it correctly, it should work.

Has anyone used this command?

HTH

Mike