Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
281
Views
0
Helpful
3
Replies

Client VPN issues

pj_mtl
Level 1
Level 1

‎12-17-2004 10:32 AM - edited ‎02-21-2020 01:30 PM

Here is my current issue. A user was given vpn access to a remote network using the latest VPN client from Cisco. He can connect but the problem is he cannot ping or access any machines once connected. I though maybe the problem was our pix 501 firewall, so I connected my laptop on the public network in front of my firewall and I was able to connect to the remote network and ping and connect to the remote machines. Our private IP's are not in the same range, mine are 192.l168.13.0 and the remote network is 192.168.10.0. I haven’t had problems in the past when connecting to other clients networks. Can the problem be in the remote firewall? If I'm not mistaken, they are using a 515E. I don’t think the problem is on my side, but I’d rather be sure before stating otherwise. Any help would be greatly appreciated.

Thanks

Labels:
0 Helpful
3 Replies 3

Patrick Iseli
Level 7
Level 7

‎12-19-2004 10:26 AM

This is a NAT issue, let me guess, your VPN Client is behind a PIX that uses PAT for outbound connections.

Try to add this line in your VPN Peer PIX:

isakmp nat-traversal 20

isakmp nat-traversal

-----------------------

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.

If needed, the show isakmp sa detail command assists in debugging NAT traversal.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

sincerely

Patrick

0 Helpful

pj_mtl
Level 1
Level 1
In response to Patrick Iseli

‎12-20-2004 07:54 AM

Thanks for the reply Patrick. Yes the VPN client is behind a pix firewall that uses PAT. I tried doing what you mentioned about enabling NAT traversal, but it doesn't recognize the command. I’m running version 6.2 on my pix, could that be a problem?

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to pj_mtl

‎12-20-2004 06:34 PM

YES this command is just supported by the 6.3 PIX OS.

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents