Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
0
Helpful
9
Replies

Client VPN can auth but not route when crossing PIX firewall

mikeb
Level 1
Level 1

‎03-08-2006 11:20 AM - edited ‎02-21-2020 02:18 PM

I have a PIX 515 with a dyn VPN connection set up. All is well when connect from home (using the Cisco VPN Client) from behind my linksys router. When I am at another site that has a PIX as a firewall I can auth to the remote PIX 515 but cannot access the remote LAN.

Any ideas as to what the problem might be? I assume its something on the firewall but I have no idea.

Any help is much appreciated.

Labels:
0 Helpful
9 Replies 9

m.sir
Level 7
Level 7

‎03-08-2006 11:34 AM

It looks like NAT-traversal issue, try command

isakmp nat-traversal 20

on your pix in global configuration menu

Hope that helps

M.

0 Helpful

cashqoo
Level 1
Level 1
In response to m.sir

‎03-09-2006 10:43 PM

I am also facing the similar problem, the above command does not work.

0 Helpful

mikeb
Level 1
Level 1
In response to m.sir

‎03-10-2006 09:13 AM

This did not fix the problem for me. Any other ideas?

0 Helpful

Dieg0hurtad0
Level 1
Level 1

‎03-10-2006 07:12 AM

i have the same problem over the same PIX515, i supose the rule to allow "bypass" the traffic must be set over the PIX where the VPN client is behind,, but what kind of rule>?

thanks in advanced

0 Helpful

mpalardy
Level 3
Level 3

‎03-10-2006 01:07 PM

Have you iniate a clear ipsec sa or clear isakmp sa command on the pix.

Also found this interesting doc...

http://cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml

0 Helpful

mpalardy
Level 3
Level 3

‎03-10-2006 01:13 PM

Also be sure the other site firewall has open ports for the vpn client. tcp/4500 udp/500

0 Helpful

jackko
Level 7
Level 7
In response to mpalardy

‎03-12-2006 02:40 AM

just a bit add-on.

the ports need to be permitted on the pix (the one deployed on the client end) are udp 500, and udp 4500.

0 Helpful

Dieg0hurtad0
Level 1
Level 1
In response to jackko

‎03-13-2006 09:19 AM

Thanks a lot for your help,,

but it didnt work,, a permit the trafic in this way:

access-list in_access permit udp any any eq isakmp

access-list in_access permit udp any any eq 4500

access-list in_access permit tcp any any eq 4500

applied over the Outside interface,, the VPN connection is established, even the Radius remote auth is validated, but cannot ping or pass the traffic with the IP vpngroup assigned...

any suggestion? is the permited ports correctly applied.....

0 Helpful

cashqoo
Level 1
Level 1

‎03-14-2006 11:31 PM

Just to add on,i sniffer on my interface;

located behind another PIX- 0 outgoing packets

located behind a dial up - >0 outgoing packets.

Could this be due to some configurations on the client side?

0 Helpful
Customers Also Viewed These Support Documents