08-13-2005 09:03 AM - edited 02-21-2020 12:19 AM
I have setup VPN client access to my PIX 515 running version 6.2 (1), now my problem is as follows:
When I use a PSTN dial-up connection from my laptop and then run the VPN client, I can connect to my PIX no problem and also can access the internal network. But when I try to connect to the PIX using the same VPN client from behind another PIX (running version 6.3(4)) I can not connect, I get a peer not responding message on the VPN client.
Can someone please explain what I am missing here, or do I need to enable some command on the PIX which is running 6.2(1) code??
I have NAT-T enabled on my PIX with 6.3(4) code but can not find any references to NAT-T for PIX with 6.2(1) code!! could this be the problem, if so is there any solutions?
PS. I am using VPN client version 4.0.1 (Rel)
I really need this up and running ASAP so any help will be much appreciated also, I can not upgrade the 515 to 6.3(4) as customer does not want to!!!
Many thanks for you assistance.
08-14-2005 01:48 AM
Did you implement "sysopt connection permit-ipsec" command on the PIX with 6.3(4)?
08-14-2005 02:52 AM
Thanks for replying, I have the sysopt connection permit-ipsec command enabled on the 6.3(4) code PIX as I have several site-to-site VPN connections terminating on this PIX.
My problem is that, when I try to connect to my other PIX (6.2(1)) from behind the 6.3(4) code PIX using the VPN client, I cannot connect I get the peer not responding message.
The strange thing is that when I use a dial-up modem connection from my laptop/PC and connect to the Internet, I can run the VPN client and can make connection to my PIX with 6.2(1) code running!! But cannot do the same when behind the 6.3(4) code PIX.
Is there any command I need to set-up on the PIX with 6.2(1) code, so that I can connect to it from behind the PIX with 6.3(4) code?
I am really pulling my hair out on this problem, so any help/suggestions would be very much appreciated I do need a quick resolution to this.
Thanks for any help.
08-14-2005 04:07 AM
I think you have PAT issue because the PIX 6.2 doesn't support NAT-T (isakmp nat-traversal).
08-14-2005 05:45 AM
I agree with you that it's a PAT related issue but is there any workaround for this? As I can not find any documents!!
Thanks -
08-14-2005 09:40 PM
you can use site-to-site VPN between two PIX.
08-14-2005 11:11 PM
Mehrdad,
Thanks for your reply, unfortunately the customer wants access via VPN client when the customer is initiating VPN access from behind another PIX (6.3(4)) to his central PIX which is running on code 6.2(1) plus the customer does not want to upgarde his 6.2(1) PIX.
So, I am a little stuck on this issue amd am looking for a workaround or documents for this problem, is there anything I can configure on the PIX with 6.2(1) running? Or is there no workaround - I'll be surprised if there isn't!!!
Thanks for all your replies.
08-14-2005 11:22 PM
why you don't upgrade your Cisco PIX to support NAT-T?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide