Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
7
Replies

Cisco VPN Client (v3.1) -> MS ISA -> Internet -> Cisco Concentrator 3000

dlb
Level 1
Level 1

‎01-06-2003 11:42 AM - edited ‎02-21-2020 12:15 PM

Hello,

Setup:

Cisco VPN Client (3.1) running on Win 2K Pro ->

MS ISA Server (proper protocol defs. and rules are in place and active; remote network has an entry in the LAT)->

Internet->

Cisco Concentrator 3000 (remote network, I do not admin this device)

Problem:

I am able to authenticate to the remote network, I can see in the VPN Client status that I am assigned an IP address. By doing 'ipconfig /all' I see that my DNS servers have been changed to match those of the remote network. However, I am unable to access ANY remote network resources. I can't even ping the remote DNS servers.

It's my understanding that if IPSec through NAT is enabled both on the client and the concentrator, all data will pass through the tunnel created. I have this enabled on the client end, but when I look at the status of the connection it says: "IPSec through NAT: Inactive." This leads me to believe that NAT-T is not enabled on the concentrator, am I mistaken in this assumption?

Any help is appreciated.

Thanks,

Dave

Labels:
0 Helpful
7 Replies 7

jfrahim
Level 5
Level 5

‎01-06-2003 12:26 PM

Hi Dave,

IPSec over UDP needs to be enabled on the client as well on the concentrator. If you have it enabled it on the client but it is not active, then make sure that it is also enabled on the concentrator as well. You mentioned that you do not administer the VPN concentrator, so you would probably need to involve the admin of the concentrator to troubleshoot it

Jazib

0 Helpful

dlb
Level 1
Level 1
In response to jfrahim

‎01-06-2003 12:32 PM

Hi Jazib, thanks for replying. I have contacted the admin of the concentrator, he says that it is enabled. Is there any way I can confirm this from my end? Like I said, when I am connected the status shows that IPSec over UDP is 'Inactive', port is '0'. I can provide a screenshot of the status screen if necessary.

Also, there may be a breakdown in communication between myself and the concentrator admin. Is IPSec over UDP the same as NAT-T? NAT-T is transparant NAT? Just want to make sure my lingo is correct before I contact the concentrator admin [again].

Thanks,

Dave

0 Helpful

jfrahim
Level 5
Level 5
In response to dlb

‎01-06-2003 12:45 PM

Hi Dave,

NAT-T is very similar in characteristics as IPSec over UDP. You can either use IPSec over UDP or NAT-T. NAT-T is a pretty new feature, so make sure that you are running atleast 3.6(x) code on the client and the concentrator.

To find out if you are using IPSEC over UDP or NAT-T, you can enable log viewer on the client and set the severity of all the classes to High.

If using IPSec over UDP, and if it is enabled on both devices, then you should see something similar on Log Viewer:

66 15:39:19.700 01/06/03 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0x00002710

If you are using NAT-T, then you will see that NAT-T is getting negotiated in the log Viewer as well

Also, ask your concentrator admin, what he sees as the encryption protocol for your IPSec session. If you are using NAT-T, it will show NAT-T there.. If you are using IPSec over UDP then it will show you that. If you are not using either of them, it will just say IPSec for the encryption protocol

Hope that helps

Jazib

0 Helpful

dlb
Level 1
Level 1
In response to jfrahim

‎01-06-2003 01:08 PM

Jazib, thank you very much for helping. I don't see anything about UDP_NAT in the LOG when I connect with IPSec over UDP enabled, that should tell me that IPSec over UDP is not enabled on the concentrator end, correct?

I'm not sure which version the concentrator is, but the client version they gave me is 3.1. The client software has no mention of NAT-T, just IPSec over UDP.

Thanks again for sticking with me on this.

Dave

0 Helpful

dlb
Level 1
Level 1
In response to dlb

‎01-06-2003 01:48 PM

This is what the concentrator admin told me when I inquired about the settings on his end:

---begin paste---

Here are the configured settings when connecting externally

encryption 168-bit 3-DES

authentication HMAC-MD5

IPSEC THROUGH NAT - ACTIVE

Nat port 10000

---end paste---

My limited knowledge of Cisco concentrators tells me that this is not the settings for IPsec over UDP.

0 Helpful

jfrahim
Level 5
Level 5
In response to dlb

‎01-07-2003 09:49 AM

Dave,

I am assuming that these are the stats from one of the VPN sessions which had IPSec over UDP enabled. You have to find out from your concentrator admin if you are also connecting to the same group as this user.

Jazib

0 Helpful

jfrahim
Level 5
Level 5
In response to dlb

‎01-06-2003 01:49 PM

Hi Dave,

If you are not seeing the UDP_NAT mesages, then your concentrator is not properly setup. You have to ask your admin to either check the config on the concentrator to make sure that it is enabled, or get the logs from the concentrator with the IKE, IKEDBG,IPSEC and IPSECDBG severity set to 1-13

Thanks

Jazib

0 Helpful
Customers Also Viewed These Support Documents