Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
0
Helpful
2
Replies

Cisco VPN Client establishes connection to PIX 515e but no bytes in??

docuity155
Level 1
Level 1

‎12-30-2004 06:54 PM

Hello,

I have a PIX 515e and a few clients connecting via Cisco VPN client 4.0.5C All was working fine for quite some time then all of a sudden most clients would establish connection but could not pass data. When looking at the statistics screen the Bytes in is zero bytes out keeps climbing. The strange part is a couple of my clients can stil connect with no problem?? what is going on?? Has anyone seen this?

Labels:
0 Helpful
2 Replies 2

ozgur.guler
Level 1
Level 1

‎12-31-2004 12:15 AM

did you check your routing on Pix?

all client range should be routed outside,

and one other point is,

traffic going out of your firewall to vpn client range should not be natted.

i am sure you know these,

it is worth to check again.

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to ozgur.guler

‎12-31-2004 07:08 AM

isakmp nat-traversal 20

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.

See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents