Ipsec tunnel from Microsoft client to PIX515 through NAT
we want to establish a remote access connection from a Microsoft Windows 2000 client to a PIX515. We have an access router in front of the pix. This router is doing static nat. When the remote client connects to the PIX directly, it establishes the ipsec connection and we are able to transmit icmp packets and pptp.
When we connect to pix going through the cisco 2600 it establishes the security association but we can´t neither transmit icmp nor pptp packets to the remote client. The pix decrypts packets but it doesn´t encrypt any.
When i do a show crypto sa I get the following:
local ident (addr/mask/prot/port): (22.214.171.124/255.255.255.255/0/0)
Re: Ipsec tunnel from Microsoft client to PIX515 through NAT
For starters have a look at the document at http://www.cisco.com/warp/customer/707/ipsecnat.html. It deals with a setup where a device between the endpoints is NAT'ting as is the case in your setup. You need to configure your devices taking into account that the addresses are being translated along the way.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...