Hi Andy,

Thank you for the reply. But the two companies are not related. I am an IT Consultant and we provide support for other companies.

Secondly, I can VPN into my company but I can not VPN out to other companies form the internal LAN. Please let me know if this helps.

Cristian

Hi Jay,

Thank you for the reply. But the two companies are not related. I am an IT Consultant and we provide support for other companies.

My company has a Pix 515e and the other one has a 501 PIX.

Thanks for posting the config, but can you post the 501 config? And are you using PPTP or the Cisco VPN Client to connect with?

Jay

I am using VPN client to connect.

Here is the 501 pix config.

Jay here is somthing that I found through my reading. PLease tell me if it makes sense to you:

"Need to ensure that protocol 50 and UDP ports 500 and 4500 are permitted through the PIX and you may need to enable nat transparency on the remote device. You should check that the remote PIX you are connecting to has the command 'isakmp nat-traversal XX

(where XX is the number of seconds between nat keepalives) configured."

Thank you

Cristian

Christian,

Your 501 config looks good, yes add (in config mode) on the 501 : isakmp nat-traversal

Unless you have a internet router in front of the pix which might be blocking protocol 50/500 and 4500 then I wouldn't worry about that.

You should be okay when you have enable NAT-T on the 501, let me know how you get on.

Jay

Christian,

Forgot to explain NAT-T:

NAT-T is an IETF standard for encapsulation of IPSec packets in to UDP packets.

IPSec ESP (the protocol that your encrypted data packets use) is an IP protocol, in that it sits right on top of IP, rather than being a TCP or UDP protocol. For this reason it has no TCP/UDP port number.

A lot of devices that do Port Address Translation (PAT) rely on a unique TCP/UDP source port number to do the PAT'ing. Because all traffic is PAT'd to the same source address, there needs to be some uniqueness about each session, and most devices use the TCP/UDP source port number for that. Because IPSec doesn't have one, a lot of PAT devices fail to PAT it correctly, or at all, and the data transfer fails.

When NAT-T is enabled on both end devices, they will determine during the tunnel build that there is a PAT/NAT device in between them, and if they detect that there is, they automatically encapsulate all the IPSec packets into UDP packets with a port number of 4500. Because there's now a port number, PAT devices are able to PAT it correctly and traffic passes normally.

Hope this helps.

Jay

Hi Jay,

No luck. It states that the remote computer is not responding or something like that.

I did add the command NAT-T on both PIX, after I tried to connect to the 501 PIX without having NAT-t enabled on the Pix 501e.

What commands can I use to see what happens to the connections.

I am looking for commnads such as " debug crypto..." and show commands that shows me what happen to my packets send from one location to another.

Thank you for your help

Cristian

Your remote site 501 config does not look right to me.

Use the following example on the 501 PIX to which your client is connecting:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f6a.shtml

Also make sure that the firewall behind which the VPN client is residing permits the following ports and protocols to the client's public and/or private IP on the ACLs, in both directions.

1. Protocol ESP (protocol 50)

2. UDP port 500

3. UDP port 4500

THANK YOU very much for your concern.

I did look at the web link and I will pay a little more attention to my 501 Pix config.

Thank you

Cristian