Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ipsec tunnel from Microsoft client to PIX515 through NAT

Hi,

we want to establish a remote access connection from a Microsoft Windows 2000 client to a PIX515. We have an access router in front of the pix. This router is doing static nat. When the remote client connects to the PIX directly, it establishes the ipsec connection and we are able to transmit icmp packets and pptp.

When we connect to pix going through the cisco 2600 it establishes the security association but we can´t neither transmit icmp nor pptp packets to the remote client. The pix decrypts packets but it doesn´t encrypt any.

When i do a show crypto sa I get the following:

local ident (addr/mask/prot/port): (195.53.117.57/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (212.87.222.149/255.255.255.255/0/0)

current_peer: 212.87.222.149:500

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 64, #pkts decrypt: 64, #pkts verify 64

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.120.2, remote crypto endpt.: 212.87.222.149

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 78249b94

inbound esp sas:

spi: 0x9f4713ab(2672235435)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4607993/28642)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x78249b94(2015665044)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4608000/28642)

IV size: 8 bytes

replay detection support: Y

Why I don´t get any answer when i establish the ipsec connection through the router doing nat though the ipsec sa is created?

Any ideas?

Thanks in advance,

Regards,

Nuria

  • VPN
2 REPLIES
Silver

Re: Ipsec tunnel from Microsoft client to PIX515 through NAT

For starters have a look at the document at http://www.cisco.com/warp/customer/707/ipsecnat.html. It deals with a setup where a device between the endpoints is NAT'ting as is the case in your setup. You need to configure your devices taking into account that the addresses are being translated along the way.

New Member

Re: Ipsec tunnel from Microsoft client to PIX515 through NAT

When establishing IPSec connection through the router which performs NAT you should use transform sets which don't utilize authentication header or hashing. You can use pure DES, 3DES and so on.

As for the your case you are trying use md5 hash:

inbound esp sas:

...

transform: esp-des esp-md5-hmac ,

162
Views
0
Helpful
2
Replies