Client VPN (client->PIX), Site-to-Site VPN (PIX<->3000), NAT Traversal Prob

David Dobbs · ‎04-27-2005

We have up to 25 PC's with Cisco VPN client loaded connecting to our PIX 506 v6.3 authenticating against Windows 2003 Active Directory (as Radius). We also have a site-to-site VPN between our PIX and a Cisco 3000 vpn concentrator using pre-shared key authentication. The dynamic vpn configuration (VPN clients) was added to the existing site-to-site configuration. Both the site-to-site and dynamic (client) vpn connections work fine; however, when I turn on NAT traversal to allow clients (PC's) to connect to the PIX when sitting behind home NAT firewalls, the site-to-site vpn connection breaks.

I tried issuing the "fixup protocol esp-ike" command but get an error message that I have isakmp policies enabled. I tried opening up port 4500 on the outside interface with an access list. This did not fix the problem either.

So how do I turn on NAT Traversal for the vpn clients and still have the site-to-site vpn work?

smalkeric · ‎05-03-2005

The following document will help you,

http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration_example09186a008010edf4.shtml