topic Re: VPN client behind PIX in Network Security

VPN client behind PIX

molebrian — Mon, 11 Mar 2019 12:26:01 GMT

I have a problem with a vpn client sitting inside a PIX 525 7.2(2). I can connect to the destination concentrator but cannot ping any resources (tested and works fine through little ADSL SOHO kit). After searching here, I added isakmp nat-traversal 20 to the config plus a NAT exemption. I now see clean UDP and TCP traffic in the syslog for this host but I still no replies.....Any help much appreciated as I'm losing hair on this one......

Re: VPN client behind PIX

Alan Huseyin Kayahan — Wed, 02 Apr 2008 14:19:33 GMT

Hi Brian,

Please attach your sanitized config

Regards

Re: VPN client behind PIX

Alan Huseyin Kayahan — Wed, 02 Apr 2008 14:27:29 GMT

Hi Brian,

Please attach your sanitized config

Regards

Re: VPN client behind PIX

cisco24x7 — Wed, 02 Apr 2008 14:30:06 GMT

You need to enable NAT-T on the VPN concentrator. You do not need NAT-T on

the Pix.

Re: VPN client behind PIX

Alan Huseyin Kayahan — Wed, 02 Apr 2008 14:33:23 GMT

Edited... Misunderstood the issue

Re: VPN client behind PIX

cisco24x7 — Wed, 02 Apr 2008 14:34:43 GMT

It is working for me as we speak.

Re: VPN client behind PIX

Alan Huseyin Kayahan — Wed, 02 Apr 2008 14:36:39 GMT

You are right m8, I misunderstood the issue 🙂

Brian, issue the following command in PIX config

fixup protocol pptp 1723

Regards

Re: VPN client behind PIX

cisco24x7 — Wed, 02 Apr 2008 15:10:26 GMT

Cisco VPN client does not use PPTP protocol.

I do not think you need that.

The key here is to look at the configuration

on the VPN concentrator. You need to setup

NAT-T on the VPN concentrator, as follow:

Configuration | Tunneling and Security | IPSec | NAT Transparency

There is a check box for "IPSec over NAT-T".

Check that box and it will work.

Re: VPN client behind PIX

Alan Huseyin Kayahan — Wed, 02 Apr 2008 15:36:20 GMT

"The key here is to look at the configuration

on the VPN concentrator. You need to setup

NAT-T on the VPN concentrator, as follow:

Configuration | Tunneling and Security | IPSec | NAT Transparency

There is a check box for "IPSec over NAT-T".

Check that box and it will work.

Thats correct. I understood just the opposite at my first fast look at the question, thats why I rejected to not to NAT-T at PIX side.

"Cisco VPN client does not use PPTP protocol"

Thats correct too, but I didnt see any statement about Cisco VPN client, thats why I suggested it. But if I recall correct, client shouldnt have been able to establish connection if it was a PPTP client, without the fixup protocol I mention. So most probably it is Cisco VPN client.

Setting NAT-T at concentrator will resolve the issue as you mentioned.

Brian, if still no joy after setting NAT-T in concentrator, we need the config of concentrator.

Re: VPN client behind PIX

molebrian — Thu, 03 Apr 2008 09:18:59 GMT

Thanks folks, I've asked the other side but there is change control to get through before I can test.......I'll keep this updated.