Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
1
Replies

VPN clients behind NAT boundary

olhcc
Level 1
Level 1

‎11-20-2008 11:01 AM

Recently, our PIX-525 was upgraded from v6.3.5 to v.8.0.4. Since the upgrade, the PIX no longer allows connections from remote access clients that are behind a NAT boundary. Most of our clients are running WinXP or Vista.

I have entered the 'cry isa nat-t 60' command, but connections are still not allowed. Remote access is working correctly for all clients who are not behind a NAT boundary, so the issue is definitely with NAT traversal.

Below is my DefaultRAGroup setup. I am sure that it is something I am mising with reagrds to the new commands present in version 7.0 and above, as I am only used to working with v6.3.

tunnel-group DefaultRAGroup general-attributes

address-pool remote-pool

authentication-server-group (outside) RADIUS

default-group-policy 2

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

Labels:
0 Helpful
1 Reply 1

andrew.prince
Level 10
Level 10

‎11-21-2008 08:08 AM

You need to allow UDP4500 - NAT-T port thru your NAT boundry.

If you are using any other port or ever ipsec-over-tcp, you need to allow that port thru.

HTH>

0 Helpful
Customers Also Viewed These Support Documents