I need to connect from a v4.x VPN client thru a v6.3(x) PIX501 to a v6.3(x) PIX515. When I connect the VPN client shows the SA created; I get an address etc pushed to the client, but I can't reach any inside resources. If the VPN client is not behind the first PIX (dialup Internet for example) then it works as expected. I could/have create a tunnel between the two PIXes, but one customer will not allow that as a solution.
Assuming that you're doing PAT on the 501, you need to enable NAT-T on the 515 so that the VPn client and the 515 will auto-negotiate to encapsulate your IPSec ESP packets into UDP packets, which the 501 can then PAT properly.
On the 515 do the following:
If changing the config on the 515 is difficult, then you can get the 501 to do PAT for a single IPsec tunnel which may help (assuming you only have the one client behind the 501). On the 501 do the following:
I'm running 6.3(1) on both and yes the 501 is doing PAT. Both have isakmp nat-traversal and I added the fixup to the 501.
When I connect from the client,behind the 501, I get the authentication login from the internal RADIUS server and get authenticated, but no further. I understand this is an IPSec and NAT issue, but just can't nail down the fix.
After the tunnel is up, double-click on the VPN padlock icon and what does the Transparent Tunnelling show as? Inactive? Active? In the client itself do you have "Enable Transparent Tunnelling" checked?
What version of the VPN client are you using? NAT-T was brought in in v3.6 so you need to be running greater than that.
Running v4.0.3(A), but have tried 3.6.3 and get same results. I tried tunneling from this one 501 to several of my clients PIX's and IOS VPN headends and get the same result. I had an ACL on the outside interface to allow ICMP stuff back in, but removing it made no difference as I expected it would not.
Any more suggestios? I'm willing to try anything at this point.
Does your client get encrypted packets? Does the head end devices get decrypts? Encrypts? Do you have ACL's on the inside interface of the Pix at your end? What do you get if you set up a Packet Capture of all traffic to and from the VPN Headend IP on the inside interface? Outside interface? Do you see anything in the Pix logs for the traffic?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...