cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2032
Views
0
Helpful
11
Replies

VPN client NAT not connected

egerritsen
Level 1
Level 1

Hello,

I'm using a cisco 1721 router to connect to the internet with one public ip address.

Between the LAN and the router is a Cisco Pix 515. On the the pix i use private addresses. (inside and outside).

I configured the pix with the vpn wizzard for remote access.

The vpn connection is working fine if i have a direct connection to the internet on my client site. (No nat enabled on vpn client)

I have configured the 1721 for ipsec passthrough.(ESP,UDP)

When i'm connecting from a site behind a firewall , i can not connect when i enable nat on the vpn client. If i disable nat i can connect but i can not ping or connect to a server on the remote site.

I've configured nat traversal on the pix.

Is there someone who have might suggestions for me?

11 Replies 11

drolemc
Level 6
Level 6

I'm not clear about your topology and what you are trying to do. If you are trying to configure VPN client to PIX vpn, wiith a NAT device in-between, you should enable IPSec over UDP. Also, if the tunnel setup is fine but there are problems browsing local resources, you shold see http://www.cisco.com/warp/customer/471/vpn-net-hood.html

The problem is that, when nat is enabled on the vpn client i can not establish a vpn session to the pix.

Between is a cisco 1721 router with ipsec passthrough.

Hi

From the problem description it look like this is your topology what you are trying to resolved

VPNclient------Internet-----1721router-----PIX----LAN.

If this is the topology , is the router doing any kind of PAT?

Let me know if you have any queries and please provide more information .

Deepali

Hi

Yes the following is in the configuration of the router:

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static udp x.x.x.x 500 interface Dialer0 500

ip nat inside source static esp x.x.x.x interface Dialer0

Kind regards,

Edwin

Hi,

You may find the following post from the 'Ask the Expert' with Glenn Fullager useful reading:

Nov 4, 2003, 3:27pm PST

Since the PIX is a layer 3 device, you now have the problem of creating another subnet in between the router and PIX. Basically you have to decide where you're going to NAT now, probably best on the router.

So let's turn off NAT in the PIX with:

clear nat

clear global

nat (inside) 0 access-list nonat

access-list nonat permit ip 192.168.1.0 255.255.255.0 any

clear xlate

We need to create a small two-host network in between the router and the PIX now, so on the PIX do:

ip address outside 10.1.1.1 255.255.255.252

route outside 0.0.0.0 0.0.0.0 10.1.1.2

You can then clear your statics out cause the "nat 0" will replace that:

clear static

and since the router is now going to be doing the NAT, we need to change your access-list:

no access-list 101

access-list 101 permit tcp any host 192.168.1.102 eq www

access-list 101 permit tcp any host 192.168.1.102 eq smtp

access-list 101 permit tcp any host 192.168.1.102 eq ftp

access-list 101 permit tcp any host 192.168.1.102 eq 8080

access-list 101 permit tcp any host 192.168.1.102 eq pop3

access-group 101 in interface outside

On the router now, we change the inside interface address and add a route to the 192.168.1.0 network with:

interface faste0

ip address 10.1.1.2 255.255.255.252

ip route 192.168.1.0 255.255.255.0 10.1.1.1

Now on the router set up the NAT'ing:

ip nat inside source static tcp 192.168.1.102 80 interface dialer1 80

ip nat inside source static tcp 192.168.1.102 8080 interface dialer1 8080

ip nat inside source static tcp 192.168.1.102 25 interface dialer1 25

ip nat inside source static tcp 192.168.1.102 ftp interface dialer1 ftp

ip nat inside source static tcp 192.168.1.102 pop3 interface dialer1 pop3

allow any others through that you need, making sure you add a corresponding ACL on the PIX for it

That should be pretty close to what you want. You may need to tweak it a bit and I haven't tested this, but I have set it up a few times before. Basically the routerdoes the NAT'ing now, and NAT's everything to the 192.168.1.102 address as before. This then gets sent through to the PIX across the 10.1.1.0/30 subnet and the PIX just allows it through based on its access-list and "nat 0" statement.

Hope it helps a little...

Sorry,

But i have already nat on the router and no nat on the pix.

So this is not my problem. The problem is that the vpn client can not connect to the pix when i am using nat.

Hi

Thanks for the information , Since your clients are behind the router and they are connecting to a PIX, itis a NAT-T issue.

What is NAT-T when you are using IPSec:

IPSec over TCP/UDP (NAT Transparency) was formed to get over the need to have one-to-one translation. What it does it encapsulates the ESP packet inside TCP or UDP. Since TCP and UDP have no problems going through PAT (because they have ports) then this allows ESP to go through PAT

too, since ESP will be riding inside TCP/UDP. However, the other side of the VPN tunnel needs to understand that it should be expecting ESP traffic encapsulated inside something else or this won't work. So whatever device you are connecting to at the remote end will need to understand IPSec over TCP/UDP.

Cisco Router code 12.2(13)T allows IPSec over UDP but not TCP. And the PIX OS 6.3 and higher supports IPSec over UDP.

Cisco VPN client 3.6 and higher supports NAT-T.

NAT-T can also be resolved by doing one-to-one static translation.

Let me know if you have any queries.

Deepali

Hi,

I am using the following code on the router:

flash:c1700-k8sy7-mz.122-15.T9.bin

The pix is using 6.3 code.

So I think it´s not a ios issue.

there are 3 protocols/ports to be opened.

esp

udp 50

udp 4500

Hi

Please add this command on the PIX:

isakmp nat-traversal 20

Please let me know if this helps.

Thanks,

Deepali

Hi,

I already did dat.

A collegue of my founnd the solution.

The problem was on the router.

There are translations for udp 500 and esp, but wwhen you want to use nat-traversal, you have to add a translation for udp 4500 .

Thanks for helping me out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: