03-08-2006 11:20 AM - edited 02-21-2020 02:18 PM
I have a PIX 515 with a dyn VPN connection set up. All is well when connect from home (using the Cisco VPN Client) from behind my linksys router. When I am at another site that has a PIX as a firewall I can auth to the remote PIX 515 but cannot access the remote LAN.
Any ideas as to what the problem might be? I assume its something on the firewall but I have no idea.
Any help is much appreciated.
03-08-2006 11:34 AM
It looks like NAT-traversal issue, try command
isakmp nat-traversal 20
on your pix in global configuration menu
Hope that helps
M.
03-09-2006 10:43 PM
I am also facing the similar problem, the above command does not work.
03-10-2006 09:13 AM
This did not fix the problem for me. Any other ideas?
03-10-2006 07:12 AM
i have the same problem over the same PIX515, i supose the rule to allow "bypass" the traffic must be set over the PIX where the VPN client is behind,, but what kind of rule>?
thanks in advanced
03-10-2006 01:07 PM
Have you iniate a clear ipsec sa or clear isakmp sa command on the pix.
Also found this interesting doc...
http://cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml
03-10-2006 01:13 PM
Also be sure the other site firewall has open ports for the vpn client. tcp/4500 udp/500
03-12-2006 02:40 AM
just a bit add-on.
the ports need to be permitted on the pix (the one deployed on the client end) are udp 500, and udp 4500.
03-13-2006 09:19 AM
Thanks a lot for your help,,
but it didnt work,, a permit the trafic in this way:
access-list in_access permit udp any any eq isakmp
access-list in_access permit udp any any eq 4500
access-list in_access permit tcp any any eq 4500
applied over the Outside interface,, the VPN connection is established, even the Radius remote auth is validated, but cannot ping or pass the traffic with the IP vpngroup assigned...
any suggestion? is the permited ports correctly applied.....
03-14-2006 11:31 PM
Just to add on,i sniffer on my interface;
located behind another PIX- 0 outgoing packets
located behind a dial up - >0 outgoing packets.
Could this be due to some configurations on the client side?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide