Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
0
Helpful
3
Replies

Cisco 836 with Site-to-Site VPN should enable IP-Sec passthrough

geand
Level 1
Level 1

‎10-27-2004 05:50 AM

Hello,

I´m having a Cisco836 with IOS FW running.

The outside IP-Adress ist dynamically assigned by the ISP. Doing PAT to the inside Ethernet-Interface.

The router is configured to initiate a Site-to-Site VPN to a Cisco PIX.

Additionally it should be possible to set up a VPN-Tunnel from a IP-SEC VPN-Client behind the Cisco836 to any other VPN-Server in the Internet.

Ít is possible to set up the Tunnel but it is not possible to send Data across this VPN-Tunnel.

I think it´s because of the nature of IP-SEC in combination with PAT.

Is there a way to get this working??

Thanx in advance.

Labels:
0 Helpful
3 Replies 3

ozgur.guler
Level 1
Level 1

‎10-27-2004 06:54 AM

you should enable nat-traversal on the vpn gateway that you are connecting with your vpn client.

also enable transparent tunnelling on your vpn client.

HTH

0 Helpful

ehirsel
Level 6
Level 6

‎10-29-2004 11:45 AM

I believe that your issue arises because the pix, in defining a site-to-site lan connection needs to see your 836 device as always having the same ip address. You stated that the 836 address changes per the ISP DHCP settings.

You can configure the pix to do wildcard ike mode config so that any device that has the pre-share key, rsa sig, or certificate as defined in your isakmp policy is a trusted client. This can make the lan-to-lan ipsec session work when the 836 outside/isp interface changes.

As an alternative, you may be able to configure the 836 as an ezvpn client to the cisco pix - that is the pix will see the 836 device in the same way that it will see a remote-access vpn client using the cisco software client. I am not certain that this can be done, but if it can, then as long as you PAT or NAT all connections behind the 836 to the 836 isp/outside interface address, then you can configure the 836 to use a group id and password which is a better pre-share key than the one for lan-to-lan connections.

Let me know if this helps.

0 Helpful

geand
Level 1
Level 1
In response to ehirsel

‎11-19-2004 02:20 AM

Sorry for that late response but I was on vacation.

Unfortunately the remote VPN Server I´m doing a Site-to-Site VPN is not a PIX and is not a part of my administration.

The site-to-site connection between 836 and VPN Server works. It is as well possible to build in addition an IP-Sec-Tunnel between soft-clients inside the LAN of the 836 to any other VPN-Server in the internet but not to send any data across this additional VPN-Tunnels.

To be sure I´ve made a test-setup with two PIX and a 836 and doing PAT with one public IP-Adress at the 836.

Doing a Site-to-Site-Connection between PIX-1 and 836 is working. Setting up an additional IP-Sec-Tunnel between a IPSEC-Soft-Client behind the 836 and PIX-2 is working as well but it is not possible to send data accross this link.

Using NAT Traversal made no difference as well configuring all the stuff with EZVPN.

(It is as well no configuration-problem of ACLs and Routing ;-))

0 Helpful
Customers Also Viewed These Support Documents