Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec VPN between PIX and Cisco VPN Client

Hi, all

I have a problem deploying Remote Access VPN between PIX (PIX OS 6.3(4)) and Cisco VPN Client 5.0.00.0340.

The current situation is I have IPSec tunnel established, I can see with the capture tool that ICMP Echo packets are coming from Remote VPN Client through the IPSec tunnel to PIX, next PIX forwards them into the inside interface towards the destination host. Then I see ICMP Echo Reply packets returning from the destination host, and the last thing that PIX has to do is forward the ICMP Echo Reply pakets into the tunnel towars the Remote VPN Client, but PIX doesn't do this.

I think I have all the stuff configured properly:

1) I have nat (inside) 0 statement to avoid Network Address Translation (NAT) on the IPSec packets.

2) I have sysopt connection permit-ipsec.

3) I have isakmp nat-traversal 20 statement.

3) I don't have any access lists to filter traffic on the inside interface.

So, to me, it looks like a bug. I have looked through the bug tool on cisco.com, but I haven't found any similar bugs. Maybe somebody has already faced with a similar problem or knows how to fix that problem, any help would be greatly appreciated.

Thanks in advance.

11 REPLIES
New Member

Re: IPSec VPN between PIX and Cisco VPN Client

post the relevant part of you config

New Member

Re: IPSec VPN between PIX and Cisco VPN Client

I attached the relevant part of the config.

New Member

Re: IPSec VPN between PIX and Cisco VPN Client

what is the IP of the host and what is its default gw?

New Member

Re: IPSec VPN between PIX and Cisco VPN Client

Hi,

The ip address of the host that I'm trying to ping is 192.168.211.9/24 with the default gw: 192.168.211.1. As you can see from the config, PIX has route to that network: route inside 192.168.211.0 255.255.255.0 192.168.210.2. And as I have already said, I can see with the PIX capture tool that packets go out from the inside interface towards that ip, and they are coming from that host back, but unfortunately PIX doesn't put them into the IPSec tunnel (counters of the encrypted packets don't increase). And I don't know why?

New Member

Re: IPSec VPN between PIX and Cisco VPN Client

As long as the pix can route to it you should have no problem. I have plenty of the exact same configs in place right now.

I would upgrade to 6.3(5) then call the TAC if you are still having issues.

New Member

Re: IPSec VPN between PIX and Cisco VPN Client

Yeah, I think there's nothing left to do but try to replace the current version 6.3(4) of the PIX OS with a new one (6.3(5)). But I'm wondering if anybody else had problems deploying Remote Access VPN with version 6.3(4) of the PIX OS, or I'm the one who is so lucky.

New Member

Re: IPSec VPN between PIX and Cisco VPN Client

I am using PIX OS 6.3(5). And i am faced with exactly the same problem. Have you found any solution yet.

New Member

Re: IPSec VPN between PIX and Cisco VPN Client

No. I was hoping that after replacing the software with the version 6.3(5) of the PIX OS everything would be OK, but now I don't know what to do...maybe downgrade the software...Have you tried any other versions of the PIX OS? Which version of the Cisco VPN client do you use?

I have tried versions 5.0.00.0340 and 4.8.01.0300, but the results were the same.

New Member

Re: IPSec VPN between PIX and Cisco VPN Client

I had omitted some lines in config. However using Pix os 6.3(5) and VPN client 3.6.6, the tunnel works well. So just upgrade the os to 6.3(5) and it should work out fine

New Member

Re: IPSec VPN between PIX and Cisco VPN Client

Hi,

Pix is statefull firewall, that's why ping will not allow unless and untill if you give permission in pix.If you have configured VPN then try to ping from inside machine, I hope it will work if it is not working please provide the diagram with all IP address.

New Member

Re: IPSec VPN between PIX and Cisco VPN Client

Finally, I have solved that problem. The problem was that there were two IPSec tunnels on the outside interface - one for L2L VPN and one for Remote VPN Client, but there was only one access-list that was used by both nat (inside) 0 and crypto map for L2L VPN at the same time. So, I guess the PIX just put the packets into the L2L VPN tunnel instead of the Cisco VPN Client tunnel, or simply dropped them because of this misconfiguration.

http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

"Do not use ACLs twice. Even if your NAT Exemption ACL and crypto ACL specify the same traffic, use two different access lists."

134
Views
0
Helpful
11
Replies