Re: Cisco VPN Client Behind PIX 501

gaban · ‎02-23-2005

When trying to VPn using the Cisco vpn 4.0.1 client that is behind a PIX 501 I cannot connect. We know that the VPN is working fine because we tested it . Is there some commands that is needed to be added to let VPN go through the PIX?

Thanks in ADvance for your help!

gilbert

jmia · ‎02-23-2005

Gilbert,

Can provide more info, such as what is the error message on the VPN client when you try to connect to the PIX? Have you got on your PIX configuration NAT Traversal enabled.

To enable this issue in config mode on the PIX:

> isakmp nat-traversal

Let me know if this helps.

Jay

Patrick Iseli · ‎02-23-2005

The "isakmp nat-traversal 20" should be on the Peer VPN Server.

Do you have an access-list on the inside interface ?

If yes do you permit:

Protocol esp

UDP/500 ISAKMP

You may open that traffic using this command that will ignore the access-lists and let pass globaly IPSEC.

sysopt connection permit-ipsec

sincerely

Patrick

sachinraja · ‎02-23-2005

Ya patrick is right,

On the destion have nat traversal enabled.

on the source open UDP 500, UDP 4500, IP 50/51. By the way is their any access list on the inside interface of your pix ??? If yes, add the above.. if not, there is something else...

Raj

gaban · ‎02-23-2005

Thanks Raj,

I do have an access-list on the the pix and I will add this upd and ip ports and check again.

gilbert

gaban · ‎02-23-2005

Hi Patrick,

I tried this commnad sysopt connection permit-ipsec

on the client side pix but still cannot connect?

I do not have access to the Peer VPn server so I can't verify what their configuration is.

gilbert

gaban · ‎02-23-2005

HI Jay,

All I have control over is the client side PIX. I tried to add the command isakmp nat-traversal but it does not take.

thanks,

gilbert

gaban · ‎02-23-2005

Thanks guys for all the replys!

Unfortunately I do not know what the other end is. It could be a pix or a concentrator. I will try to do the client side suggestion check if it works.

All that I know is we are using the cisco VPN client behind a PIX firewall and this is the logs that I from the client

45 13:10:36.905 02/23/05 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

46 13:10:36.905 02/23/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 138.26.220.211

47 13:10:41.912 02/23/05 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

48 13:10:41.912 02/23/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 138.26.220.211

49 13:10:46.920 02/23/05 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

50 13:10:46.920 02/23/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 138.26.220.211

51 13:10:51.927 02/23/05 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=63246B4221BFFE77 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

52 13:10:52.427 02/23/05 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=63246B4221BFFE77 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

53 13:10:52.427 02/23/05 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "138.26.220.211" because of "DEL_REASON_PEER_NOT_RESPONDING"

54 13:10:52.427 02/23/05 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

55 13:10:52.427 02/23/05 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

56 13:10:52.438 02/23/05 Sev=Info/4 IKE/0x63000085

Microsoft IPSec Policy Agent service started successfully

57 13:10:52.928 02/23/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

58 13:10:52.928 02/23/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

59 13:10:52.928 02/23/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

60 13:10:52.928 02/23/05 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Thanks again!

gilbert