Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Pix 501 issue

attempting to configure the following.

h - p1 - I - p2

h - host

p1 - 501 PIX (I control)

I - Internet

p2 - Cisco Device with VPN enabled.

I can VPN from home into p1 and establish connection however when behind p1 and I attempt to VPN to P2 I can establish a connection however can't pass traffic. I have PAT running on my pix (p1)

I understand that I should not have the 101 ACLs configured the way they are currently, just trying to rule out that my ACLs were not blocking.

Thanks

-T-

Does the 501 allow this functionality?

11 REPLIES
Green

Re: VPN Pix 501 issue

What device is p2? If it is a pix you need the command isakmp nat-traversal. Whatever it is needs nat-t.

New Member

Re: VPN Pix 501 issue

Unfortunately I have no control over p2, this is a customers device. I do not have a VPN tunnel connecting the two devices, I just want to be able to use the cisco client from inside p1 and connect to p2.

I am able to connect if I remove p1 and replace it with a linksys. P1 is not allowing something..I just don't know what it is.

Green

Re: VPN Pix 501 issue

tstrunce, that is not necessarily the case. I understand you are not tunneling between the devices. Since you pix is doing pat, you must be able to do nat-traversal from you client. This means your client must be configured and the remote end point must be configured for nat-t. Your pix is not blocking anything.

Another option is to do "fixup protocol esp-ike" on your pix, this will allow for one vpn connection and one only. You will also not be able to terminate vpn's on your pix.

A one to one static on your client will help as well if you have an extra ip address.

New Member

Re: VPN Pix 501 issue

ok, I understand now..PAT is the issue.

fixup protocol esp-ike is not an option because I need users to be able to VPN in. I've seen this command before in the past, just didn't understand what it did.

How does a 1 to 1 static work? I understand that I would need another external IP address on my side however would the other IP address be the external interface on p2?

BTW...thanks so much for the response!

Green

Re: VPN Pix 501 issue

It works like this...basically it would nat the client 192.168.1.1 to 1.1.1.1, not pat, therfore allowing you to connect.

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

New Member

Re: VPN Pix 501 issue

so basically

static (inside,outside) netmask <32-bit>

which would be a specific single host surfing the internet using NAT.

Green

Re: VPN Pix 501 issue

Yes.

Green

Re: VPN Pix 501 issue

You could also try "isakmp nat-traversal" in your pix. I have heard this may help, but not in my experience. Make sure you have enabled transparent tunneling in your vpn client config, udp 4500.

New Member

Re: VPN Pix 501 issue

I'll give the isakmp nat-traversal a try..I wasn't aware of enabling transparent tunneling in my VPN client config, UDP 4500.

Green

Re: VPN Pix 501 issue

I think it's usually enabled by default. Ipsec over udp on the transport tab. Can you find out if the remote site device is allowing nat-t?

New Member

Re: VPN Pix 501 issue

yes but will take some time for them to get back to me :(

calling them and waiting a call back

113
Views
0
Helpful
11
Replies