cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
239
Views
0
Helpful
9
Replies
mikeb
Beginner

Client VPN can auth but not route when crossing PIX firewall

I have a PIX 515 with a dyn VPN connection set up. All is well when connect from home (using the Cisco VPN Client) from behind my linksys router. When I am at another site that has a PIX as a firewall I can auth to the remote PIX 515 but cannot access the remote LAN.

Any ideas as to what the problem might be? I assume its something on the firewall but I have no idea.

Any help is much appreciated.

9 REPLIES 9
m.sir
Rising star

It looks like NAT-traversal issue, try command

isakmp nat-traversal 20

on your pix in global configuration menu

Hope that helps

M.

I am also facing the similar problem, the above command does not work.

This did not fix the problem for me. Any other ideas?

Dieg0hurtad0
Beginner

i have the same problem over the same PIX515, i supose the rule to allow "bypass" the traffic must be set over the PIX where the VPN client is behind,, but what kind of rule>?

thanks in advanced

mpalardy
Participant

Have you iniate a clear ipsec sa or clear isakmp sa command on the pix.

Also found this interesting doc...

http://cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml

mpalardy
Participant

Also be sure the other site firewall has open ports for the vpn client. tcp/4500 udp/500

just a bit add-on.

the ports need to be permitted on the pix (the one deployed on the client end) are udp 500, and udp 4500.

Thanks a lot for your help,,

but it didnt work,, a permit the trafic in this way:

access-list in_access permit udp any any eq isakmp

access-list in_access permit udp any any eq 4500

access-list in_access permit tcp any any eq 4500

applied over the Outside interface,, the VPN connection is established, even the Radius remote auth is validated, but cannot ping or pass the traffic with the IP vpngroup assigned...

any suggestion? is the permited ports correctly applied.....

cashqoo
Beginner

Just to add on,i sniffer on my interface;

located behind another PIX- 0 outgoing packets

located behind a dial up - >0 outgoing packets.

Could this be due to some configurations on the client side?

Content for Community-Ad