Re: ADSL SOHO VPN Client behind PIX to Office VPN PIX 515 (vice

support · ‎03-05-2005

Hi there,

I'm using a latest Cisco VPN Client (behind a PIX 501) trying to connect to remote office using PIX 515. I'm unable to get outside connection even though

access-list pix_out permit udp host 10.10.1.1 any eq isakmp

Because we're unrelated company and I'm only a client, both PIX is not configured as Site-to-Site VPN.

Is there any other command on myside I need to use in order to connect to the PIX VPN site?

Thanks in advance.

ADSL SOHO - One External Static IP

-----

Inside address 192.168.0.1

SOHO PIX 501

Outside address 172.16.0.2

Inside address 172.16.0.1

ADSL ModemRouter

Outside address 80.67.74.134

Office

Outside address 198.133.219.25

Cisco RTR

Inside address 198.133.219.26

Outside address 198.133.219.27

PIX 515

Inside address 192.168.10.1

IP addresses used are for example only......

ehirsel · ‎03-07-2005

Your issue may due to nat/pat failure of the ipsec vpn session originating on the client. Ask the partner network if their pix 515 can accept ipsec via NAT-T which will use udp port 4500 as well as port 500. If not, then you will need to do a static nat xlate for your client - which may not be possible due to how many public/routable addresses were assigned to you. Using nat-t is the better option - the pix command is iksamp nat-traversal.

On your side, all you need to do is to reconfig the client to use nat traversal (aka nat-t using udp). Then on your pix allow the client to connect to the remote end dest. port 4500 (as well as dest port 500). You can continue to use nat/pat for your client as the ike negotiation will determine that there is a nat/pat device between the two ipsec vpn peers.

Let me know how it proceeds from here.

support · ‎03-08-2005

Hi there,

Thanks for your reply. There's good news and bads news.

I can connect using vpn client from myside to PIX 515. Good news!

However, when I connect to my end PIX 501 via VPN client it says Secure VPN Connection terminated locally by the client. Reason 412.

I'm using a Laptop with modem dial-up and no Firewall.

Is there anything is should look out for?

Regards,

Fred

cisco_gavin · ‎03-08-2005

Hi Fred:

I guess you should ask the company to enable the split-tunneling on the VPN concentrator.

support · ‎03-09-2005

Hi, the PIX 501 is my home use and this is my config:

access-list inside_outbound_nat0_acl permit ip any 10.1.1.0 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 10.1.1.0 255.255.255.224

.......

nat (inside) 0 access-list inside_outbound_nat0_acl

.......

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup Dmouth address-pool bromley

vpngroup Dmouth dns-server Briscoe 192.8.69.5

vpngroup Dmouth default-domain Test.COM

vpngroup Dmouth idle-time 1800

vpngroup Tenfore-VPN split-tunnel inside_outbound_nat0_acl

vpngroup Dmouth password ***********

Is this config ok?

jmia · ‎03-09-2005

Fred,

Your config looks good, been busy with the PDM eh! :)

Just one thing, I presume you've not included the ras pool command on your post?

> ip local pool raspool 10.1.1.1-10.1.1.10

Jay

support · ‎03-09-2005

Yes, thats included on my config.

ip local pool raspool 10.1.1.1-10.1.1.10

What else I might be doing wrong?

Thanks for you reply.

ADSL SOHO VPN Client behind PIX to Office VPN PIX 515 (vice versa) Problem