Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN client behind PIX tunneling to second PIX

I need to connect from a v4.x VPN client thru a v6.3(x) PIX501 to a v6.3(x) PIX515. When I connect the VPN client shows the SA created; I get an address etc pushed to the client, but I can't reach any inside resources. If the VPN client is not behind the first PIX (dialup Internet for example) then it works as expected. I could/have create a tunnel between the two PIXes, but one customer will not allow that as a solution.

5 REPLIES
Cisco Employee

Re: VPN client behind PIX tunneling to second PIX

Assuming that you're doing PAT on the 501, you need to enable NAT-T on the 515 so that the VPn client and the 515 will auto-negotiate to encapsulate your IPSec ESP packets into UDP packets, which the 501 can then PAT properly.

On the 515 do the following:

isakmp nat-traversal

If changing the config on the 515 is difficult, then you can get the 501 to do PAT for a single IPsec tunnel which may help (assuming you only have the one client behind the 501). On the 501 do the following:

fixup protocol esp-ike

See:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312 and

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ae.htm#232086

for details. You'll need 6.3 code for these.

New Member

Re: VPN client behind PIX tunneling to second PIX

I'm running 6.3(1) on both and yes the 501 is doing PAT. Both have isakmp nat-traversal and I added the fixup to the 501.

When I connect from the client,behind the 501, I get the authentication login from the internal RADIUS server and get authenticated, but no further. I understand this is an IPSec and NAT issue, but just can't nail down the fix.

Any other suggestions?

Cisco Employee

Re: VPN client behind PIX tunneling to second PIX

After the tunnel is up, double-click on the VPN padlock icon and what does the Transparent Tunnelling show as? Inactive? Active? In the client itself do you have "Enable Transparent Tunnelling" checked?

What version of the VPN client are you using? NAT-T was brought in in v3.6 so you need to be running greater than that.

New Member

Re: VPN client behind PIX tunneling to second PIX

Transparent tunneling is active on UDP 4500

Enable Transparent is checked

Running v4.0.3(A), but have tried 3.6.3 and get same results. I tried tunneling from this one 501 to several of my clients PIX's and IOS VPN headends and get the same result. I had an ACL on the outside interface to allow ICMP stuff back in, but removing it made no difference as I expected it would not.

Any more suggestios? I'm willing to try anything at this point.

New Member

Re: VPN client behind PIX tunneling to second PIX

Does your client get encrypted packets? Does the head end devices get decrypts? Encrypts? Do you have ACL's on the inside interface of the Pix at your end? What do you get if you set up a Packet Capture of all traffic to and from the VPN Headend IP on the inside interface? Outside interface? Do you see anything in the Pix logs for the traffic?

Just some troubleshooting thoughts :)

126
Views
0
Helpful
5
Replies