Re: Need help with remote access vpn

mjsully · ‎07-13-2009

I have a PIX 501 with an active L2L tunnel on it. I have also just added a remote access vpn, in which I'll be connecting to the inside network with the Cisco vpn client using local authentication. I've got it setup so I can authenticate and get an assigned ip address, but I cannot ping across to the inside network anywhere. I have sysopt enabled so that is not the issue. I'm not sure if something is conflicting with the L2L tunnel or not. I've attached the config and broken it up to best describe what its doing. Can someone please advise on to what the issue could be?

acomiskey · ‎07-13-2009

Add...

isakmp nat-traversal

mjsully · ‎07-13-2009

That did it!!

Can you explain why that is needed? Appreciate the fix!

ullasupendran · ‎07-13-2009

Hi

During the phase II negotiation there is seperate unidirectional ESP session between PIX and the VPN client.So when there is NAT involved in the set up there are issues due to the translation .

To overcome those issues NAT-T is used.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1732264

HTH

Ullas

mjsully · ‎07-13-2009

That's where I'm confused. I'm not NATn'g anything.

pccw258103 · ‎07-14-2009

Hi, at the client side has been nat, the client connect to VPN server.