05-14-2004 05:09 PM - edited 03-09-2019 07:23 AM
The problem I got is I have a client using Cisco's VPN client. He connects to another server and is going through a pix 515. The vpn authenticates, but when we try to pull up the web interface for an IBM AS400 it will not go through. Could this be a mis config on my pix, or is it an issue with the server being authenticated to?
05-15-2004 06:21 PM
Can the client connect to other services through the tunnel? Can he ping the AS400?
05-17-2004 07:32 AM
Here is the deal. And I just found this out today. If you dial up to the internet and use the cisco vpn client from a public address it works fine. It is haveing trouble going through the pix on a private address. We havent tried pinging the AS400 yet I think ICMP is turned off. But we are going to try that, and if this other info helps then I will appreciate anything else you can tell me
05-17-2004 10:13 AM
Correct. If you are behind a 1 to many (PAT /NAPT) NAT situation then it will not work. You have to have a 1 to 1 nat translation for IOS or the firewall at this time. If you have a concentrator you can use IPSEC over tcp. The problem lies with the fact that the port information is encrypted so port address translation doesn't work. In addition to this for a firewall on a PAT/NAPT setup you need to enable ESP inbound on the public address in your firewall rules.
05-18-2004 05:35 AM
Thank you much. I will make the neccassary changes and see how it works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide