Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
925
Views
0
Helpful
4
Replies

VPN3000 client thru home PIX501 to work PIX no worky worky?

varrialet
Level 1
Level 1

‎10-16-2002 03:51 PM - edited ‎02-20-2020 10:18 PM

Trying to VPN into work thru my home PIX running 6.2.2 code to work PIX running 6.0.1 code. I am currently using the 3000 client v3.6.1. At home, I am running cable so I do only have 1 outside addy (which is dynamic).

What I did notice is that the home PIX is changing my source port during ISAKMP to something other than 500. This is obviously where this is failing.

I decided to try to static PAT the udp 500 port on the home PIX with the following command:

static (inside,outside) udp interface 500 192.168.x.x 500

The above command allows me to establish a connection, but I am unable to pass traffic. In the home PIX log, I see:

%PIX-3-305006: Regular translation creation failed for 50 src outside:<outside IP addy> dst inside:<inside IP addy>

Looks kinda like it's trying to create a translation for ESP *shrug*

As a side note, I have my Linksys NATer working just fine in this scenario. The Linksys calls this IPSEC passthru.

Any ideas? TIA :)

0 Helpful
4 Replies 4

s.diyorio
Level 1
Level 1

‎10-17-2002 11:31 PM

I have the same problem. I'm finding that IPSEC Passthru is not yet available for the PIX firewall. I think it's sad that crappy routers like Linksys and Dlink have fixes, but an internet giant like Cisco does not.

What I do is create a one-to-one static entry as follows:

static (inside,outside) interface 192.168.x.x

This should work for your VPN client, however all Global PATs will stop working until you remove the static command and clear xlate.

Please please please let me know if you find a better solution.

0 Helpful

varrialet
Level 1
Level 1
In response to s.diyorio

‎10-18-2002 10:21 AM

Yup. You can't do a "static PAT" on an IP protocol on the PIX yet. You can do it in the IOS.

Funny thing is, I've never had a problem with my UGATE 3000. I've had it for about 2 years now.

How exactly is Cisco positioning the PIX501 at home users with silly issues like this? *boggle*

0 Helpful

Phillip Remaker
Cisco Employee
Cisco Employee

‎10-18-2002 03:03 PM

The VPN 3000 will handle any ISAKMP source port. Implementations that do not are broken.

The problem is that the PIX will not do PAT for ESP packets. (But will do NAT) Set the VPN 3000 client and server to do NAT over UDP (a small checkbox on the server and client) and it will work fine through the PIX. The feature is sometimes called NAT TRAVERSAL.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a00800bd98c.html#xtocid18

IPSEC passthru will appear in a future PIX release.

0 Helpful

varrialet
Level 1
Level 1
In response to Phillip Remaker

‎10-20-2002 07:39 PM

I'm a bit confused.

I do understand that the PIX won't "static PAT" ESP packets, but I'm not sure what you mean by "server". There is no server. The tunnel terminates on the PIX.

As for setting the IPSEC over UDP setting on the client, that does not work either. How would the PIX know how to use IPSEC over UDP? It only knows about ESP packets for the encrypted traffic.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card