Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2232
Views
0
Helpful
6
Replies

Can't ping remote side in vpn tunnel through a pix 501

support
Level 1
Level 1

‎12-13-2006 08:43 AM - edited ‎03-11-2019 02:08 AM

Hello All,

I have a pix 501 v 6.3(5), connected to my dsl router. When i connect my Netgear "Safenet" vpn client to my endpoint (Dlink 808HV) I can't ping anything on the other side. i have vpn passthru enables for IPSEC & L2TP. When I disconnect the pix from the dsl router, and connect the dsl router to my pc then connect the vpn client all is well. All other PIX functions work fine. I have internet accsess thru it, I have an VPN end point setup on it that I can connect to with the netgear vpn client. It just seems to be giving me grief when trying to do something as simple as passing IPSEC thru it to a vpn endpoint.

Attached is a clean ver of my config

Any ideas / critiques are appreciated.

Labels:
Preview file
5 KB
0 Helpful
6 Replies 6

jim
Level 1
Level 1

‎12-13-2006 11:15 AM

I didnt think you could ping the inside address through a tunnel unless you sourced it outide the other end and back..

--

Sorry i read this wrong the first time. Im looking at your config now

0 Helpful

jim
Level 1
Level 1
In response to jim

‎12-13-2006 01:32 PM

We ran into the same issue with the nortel VPN client behind a 506 pix at a remote office site. What we saw on sniffer traces is the gre packets were not able to come back through the pix even with the fixup command turned on.

Sorry I dont have a answer to this question as we didnt find one either.

0 Helpful

support
Level 1
Level 1
In response to jim

‎12-14-2006 06:29 AM

Thanks for your time I posted additional information from a syslog that i looked at it seem once I connect, and try to ping the remote side I get this in my syslog

12-14-2006 09:14:07 Local4.Error 192.168.2.1 Dec 14 2006 09:14:07: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

12-14-2006 09:14:06 Local4.Error 192.168.2.1 Dec 14 2006 09:14:06: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

12-14-2006 09:14:05 Local4.Error 192.168.2.1 Dec 14 2006 09:14:05: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

12-14-2006 09:14:04 Local4.Error 192.168.2.1 Dec 14 2006 09:14:04: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

Can you enlighten me on what his message means?

Thanks for any ideas.

0 Helpful

Fernando_Meza
Level 7
Level 7

‎12-13-2006 05:16 PM

Hi this is because your client is using a private IP address which will be NATed out using the Public IP address allocated to your PIX by your service provider. Basically Ipsec conflicts with NAT and here is where a feature known as NAT-Traversal comes in place .. basically you need to find out whether the safnet client supports NAT-traversal and teh you need to open the respective ports on both directions on your PIX. For exmaple Cisco VPN client uses UDP 4500 for NAT-traversal and so opening this port in both directions will allow an inside host to connect to a public VPN server using teh Cisco VPN client.

NOTE: you might also need to open UDP 500 in both ways for the first stage of the tunnel creation

I hope it helps .. please rate if it if it does !!!..

0 Helpful

support
Level 1
Level 1
In response to Fernando_Meza

‎12-14-2006 06:19 AM

Thanks for you time & thoughts. The Netgear "SafeNet" SoftRemote client does support NAT-T. The DLINK 808HV vpn endpoint supports NAT-T. I will have to find out what ports are used. I do get the Netgear client to connect to the DLINK 808HV thru the PIX. I just can't ping any device on the remote side. Additionally I have discovered in my syslog files that when I connect, and try to ping I get the message

12-14-2006 09:14:07 Local4.Error 192.168.2.1 Dec 14 2006 09:14:07: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.198.142.92

12-14-2006 09:14:06 Local4.Error 192.168.2.1 Dec 14 2006 09:14:06: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

12-14-2006 09:14:05 Local4.Error 192.168.2.1 Dec 14 2006 09:14:05: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

12-14-2006 09:14:04 Local4.Error 192.168.2.1 Dec 14 2006 09:14:04: %PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.2.10 dst outside:151.196.142.92

Can you enlighten me on what this error means?

Thanks for you assitance.

0 Helpful

support
Level 1
Level 1
In response to support

‎12-14-2006 07:43 AM

My apologies guys, my mind is warping the syslog error message internal ip address is 192.169.2.? not 192.168.2.?

I know this is an incorrect ip for an internal natted lan, I am changing soon.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card