04-02-2008 06:59 AM - edited 03-11-2019 05:26 AM
I have a problem with a vpn client sitting inside a PIX 525 7.2(2). I can connect to the destination concentrator but cannot ping any resources (tested and works fine through little ADSL SOHO kit). After searching here, I added isakmp nat-traversal 20 to the config plus a NAT exemption. I now see clean UDP and TCP traffic in the syslog for this host but I still no replies.....Any help much appreciated as I'm losing hair on this one......
Solved! Go to Solution.
04-02-2008 08:36 AM
"The key here is to look at the configuration
on the VPN concentrator. You need to setup
NAT-T on the VPN concentrator, as follow:
Configuration | Tunneling and Security | IPSec | NAT Transparency
There is a check box for "IPSec over NAT-T".
Check that box and it will work.
"
Thats correct. I understood just the opposite at my first fast look at the question, thats why I rejected to not to NAT-T at PIX side.
"Cisco VPN client does not use PPTP protocol"
Thats correct too, but I didnt see any statement about Cisco VPN client, thats why I suggested it. But if I recall correct, client shouldnt have been able to establish connection if it was a PPTP client, without the fixup protocol I mention. So most probably it is Cisco VPN client.
Setting NAT-T at concentrator will resolve the issue as you mentioned.
Brian, if still no joy after setting NAT-T in concentrator, we need the config of concentrator.
04-02-2008 07:19 AM
Hi Brian,
Please attach your sanitized config
Regards
04-02-2008 07:27 AM
Hi Brian,
Please attach your sanitized config
Regards
04-02-2008 07:30 AM
You need to enable NAT-T on the VPN concentrator. You do not need NAT-T on
the Pix.
04-02-2008 07:33 AM
Edited... Misunderstood the issue
04-02-2008 07:34 AM
It is working for me as we speak.
04-02-2008 07:36 AM
You are right m8, I misunderstood the issue :)
Brian, issue the following command in PIX config
fixup protocol pptp 1723
Regards
04-02-2008 08:10 AM
Cisco VPN client does not use PPTP protocol.
I do not think you need that.
The key here is to look at the configuration
on the VPN concentrator. You need to setup
NAT-T on the VPN concentrator, as follow:
Configuration | Tunneling and Security | IPSec | NAT Transparency
There is a check box for "IPSec over NAT-T".
Check that box and it will work.
04-02-2008 08:36 AM
"The key here is to look at the configuration
on the VPN concentrator. You need to setup
NAT-T on the VPN concentrator, as follow:
Configuration | Tunneling and Security | IPSec | NAT Transparency
There is a check box for "IPSec over NAT-T".
Check that box and it will work.
"
Thats correct. I understood just the opposite at my first fast look at the question, thats why I rejected to not to NAT-T at PIX side.
"Cisco VPN client does not use PPTP protocol"
Thats correct too, but I didnt see any statement about Cisco VPN client, thats why I suggested it. But if I recall correct, client shouldnt have been able to establish connection if it was a PPTP client, without the fixup protocol I mention. So most probably it is Cisco VPN client.
Setting NAT-T at concentrator will resolve the issue as you mentioned.
Brian, if still no joy after setting NAT-T in concentrator, we need the config of concentrator.
04-03-2008 02:18 AM
Thanks folks, I've asked the other side but there is change control to get through before I can test.......I'll keep this updated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide