06-16-2005 09:46 AM
VPN Client -> PIXw/PAT -> VPN Server
VPN Client Source 10.1.1.153 - internal address
VPN Server Destination 69.245.9.1 - external address
Source is trying to send ipsec traffic through a FW1 that does PAT. The internal ip address/port (10.1.1.153:500) is translated to 64.240.1.2:15.
The Destination is receiving the traffic and replying back to 66.240.1.2:15 according to sniffer. However, I do not see the traffic from the destination passing the FW1.
Help would be appreciated!
Thanks,
E
06-16-2005 10:54 AM
Does the pix has isakmp nat-traversal enabled? That said, if you do not see traffic passing thru the fw1, then it sounds like you have a fw1 problem
06-16-2005 11:26 AM
I do have isakmp nat-traversal. What should I check on the FW?
Thanks,
E
06-17-2005 05:03 AM
Don't you need to enable some type of encapsulation for the VPN client to work over NAT/PAT? Try enabling IPSec over TCP on both the client and the concentrator.
06-17-2005 05:18 AM
Sorry, when I entered my last post I hadn't read the whole thread. If you use TCP then you'll of course have to change your PAT config on the firewall.
I am wondering if you are really using some type of NAT traversal, because if you are, wouldn't the client be sourcing its packets from some port besides udp500?
06-17-2005 06:44 AM
VPN Client is using NAT-T. I've setup isakmp nat-traversal on the firewall.
should i setup a static pat to limit the outside address to port 500... such as
static (inside, outside) udp outsideip 500 insideip 500 netmask 255.255.255.255 0 0
Thanks,
E
06-17-2005 10:30 AM
If you are using UDP NAT traversal on the VPN client, it connects to the concentrator first on UDP 500, which is covered in your static. It then needs to connect to UDP 4500, which you don't have a static for. Since you can't translate both inside ports (500 and 4500) to the same outside port (15), you will need two statics.
try:
static (inside,outside) udp outsideip 15 insideip 500 netmask 255.255.255.255
static (inside,outside) udp outsideip 16 insideip 4500 netmask 255.255.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide