Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
0
Helpful
2
Replies

Ipsec tunnel from Microsoft client to PIX515 through NAT

jsanjuan
Level 1
Level 1

‎01-13-2004 08:51 AM - edited ‎02-21-2020 01:00 PM

Hi,

we want to establish a remote access connection from a Microsoft Windows 2000 client to a PIX515. We have an access router in front of the pix. This router is doing static nat. When the remote client connects to the PIX directly, it establishes the ipsec connection and we are able to transmit icmp packets and pptp.

When we connect to pix going through the cisco 2600 it establishes the security association but we can´t neither transmit icmp nor pptp packets to the remote client. The pix decrypts packets but it doesn´t encrypt any.

When i do a show crypto sa I get the following:

local ident (addr/mask/prot/port): (195.53.117.57/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (212.87.222.149/255.255.255.255/0/0)

current_peer: 212.87.222.149:500

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 64, #pkts decrypt: 64, #pkts verify 64

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.120.2, remote crypto endpt.: 212.87.222.149

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 78249b94

inbound esp sas:

spi: 0x9f4713ab(2672235435)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4607993/28642)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x78249b94(2015665044)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4608000/28642)

IV size: 8 bytes

replay detection support: Y

Why I don´t get any answer when i establish the ipsec connection through the router doing nat though the ipsec sa is created?

Any ideas?

Thanks in advance,

Regards,

Nuria

Labels:
0 Helpful
2 Replies 2

drolemc
Level 6
Level 6

‎01-19-2004 09:49 PM

For starters have a look at the document at http://www.cisco.com/warp/customer/707/ipsecnat.html. It deals with a setup where a device between the endpoints is NAT'ting as is the case in your setup. You need to configure your devices taking into account that the addresses are being translated along the way.

0 Helpful

a.lysyuk
Level 1
Level 1

‎01-20-2004 03:52 AM

When establishing IPSec connection through the router which performs NAT you should use transform sets which don't utilize authentication header or hashing. You can use pure DES, 3DES and so on.

As for the your case you are trying use md5 hash:

inbound esp sas:

...

transform: esp-des esp-md5-hmac ,

0 Helpful
Customers Also Viewed These Support Documents