09-08-2003 12:36 PM - edited 02-20-2020 10:58 PM
I have VPN client Vers. 4.0 and need to connect to a PIX firewall across the internet. The problem I am having is that I can establish a tunnel, but am unable to utilize the application or even ping the application server on the other side. I am behind another PIX firewall and when I take my local PIX firewall out of the picture I can access the application that I need to upon establishing the tunnel. So it appears something in my local PIX firewall is allowing the establishment of the tunnel, however not allow anything after the fact.
I have tried a couple of things, "sysopt connection permit-ipsec", acl's, etc... and still can not get this to work. I ran into this problem before and changed from PAT to a NAT pool, which for one reason or another fixed my problem, however this time I do not have the IP addresses available to not run PAT.
09-12-2003 12:41 PM
The application in question must be opening a return connection to a port that is not pre-defined. Thats why when you changed to NAT the application was accessible. Since you are using PAT you will not be able to connect to applications that operate on ports that are not pre-defined
09-14-2003 11:30 PM
Hi,
You'll have to make sure that the PIX firewall to which you are establishing a tunnel has the image 6.3.x which supports the NAT-T feature. This feature will allow you to connect using a vpn client which is behind a device doing PAT.
You'll have to enable NAT-T. The command is
isakmp nat-traversal
More details can be found at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312
On the local PIX make sure that you open up udp 4500 ( used by NAT-T)
Thanks
Ranjana
09-23-2003 12:08 PM
I believe that PIX code 6.3 has a fix for this...Try the command "isakmp nat-traversal." I have never tested it, but if I understand it correctly, it should work.
Has anyone used this command?
HTH
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide