cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
770
Views
0
Helpful
2
Replies

Ipsec tunnel from Microsoft client to PIX515 through NAT

jsanjuan
Level 1
Level 1

Hi,

we want to establish a remote access connection from a Microsoft Windows 2000 client to a PIX515. We have an access router in front of the pix. This router is doing static nat. When the remote client connects to the PIX directly, it establishes the ipsec connection and we are able to transmit icmp packets and pptp.

When we connect to pix going through the cisco 2600 it establishes the security association but we can´t neither transmit icmp nor pptp packets to the remote client. The pix decrypts packets but it doesn´t encrypt any.

When i do a show crypto sa I get the following:

local ident (addr/mask/prot/port): (195.53.117.57/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (212.87.222.149/255.255.255.255/0/0)

current_peer: 212.87.222.149:500

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 64, #pkts decrypt: 64, #pkts verify 64

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.120.2, remote crypto endpt.: 212.87.222.149

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 78249b94

inbound esp sas:

spi: 0x9f4713ab(2672235435)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4607993/28642)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x78249b94(2015665044)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4608000/28642)

IV size: 8 bytes

replay detection support: Y

Why I don´t get any answer when i establish the ipsec connection through the router doing nat though the ipsec sa is created?

Any ideas?

Thanks in advance,

Regards,

Nuria

2 Replies 2

drolemc